From 53ddc64b6aa98653b35b23c334df605ed26ea60b Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Mon, 24 Oct 2016 11:29:59 -0400
Subject: Set X-Content-Type-Options nosniff.

Setting this header will prevent the browser from interpreting files as
something else than declared by the content type in the HTTP
headers. This will prevent the browser from MIME-sniffing a response
away from the declared content-type.

When this is not set, older versions of Internet Explorer and Chrome
perform MIME-sniffing on the response body, potentially causing the
response body to be interpreted and displayed as a content type other
than the declared content type.
---
 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index bfa5d04d..5e27a9e4 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -23,6 +23,7 @@ Listen 0.0.0.0:<%= @api_port %>
 <% end -%>
     Header always unset X-Powered-By
     Header always unset X-Runtime
+    Header always set X-Content-Type-Options: nosniff
   </IfModule>
 
   DocumentRoot /srv/leap/webapp/public
-- 
cgit v1.2.3