Set X-Content-Type-Options nosniff.

Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers. This will prevent the browser from MIME-sniffing a response away from the declared content-type. When this is not set, older versions of Internet Explorer and Chrome perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.
author: Micah Anderson <micah@riseup.net> 2016-10-24 11:29:59 -0400
committer: Micah Anderson <micah@riseup.net> 2016-10-24 11:29:59 -0400
commit: 53ddc64b6aa98653b35b23c334df605ed26ea60b (patch)
tree: 721a8d822eebe03e7579d01440845ce34ab038ac
parent: 15f8dd13c6d26fa1ad0d06d3ea03e8df260224db (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index bfa5d04d..5e27a9e4 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -23,6 +23,7 @@ Listen 0.0.0.0:<%= @api_port %>
 <% end -%>
     Header always unset X-Powered-By
     Header always unset X-Runtime
+    Header always set X-Content-Type-Options: nosniff
   </IfModule>
 
   DocumentRoot /srv/leap/webapp/public
author	Micah Anderson <micah@riseup.net>	2016-10-24 11:29:59 -0400
committer	Micah Anderson <micah@riseup.net>	2016-10-24 11:29:59 -0400
commit	53ddc64b6aa98653b35b23c334df605ed26ea60b (patch)
tree	721a8d822eebe03e7579d01440845ce34ab038ac
parent	15f8dd13c6d26fa1ad0d06d3ea03e8df260224db (diff)