From 78f8de236b7ab9755f0212a740d341a2518968da Mon Sep 17 00:00:00 2001 From: Vika Date: Thu, 2 Jan 2025 06:37:04 +0300 Subject: Set X-Content-Type-Options: nosniff This prevents browsers from guessing the Content-Type, and since we're always making sure to serve with the known-correct content type, we don't need the browser to guess. Change-Id: I02550d6763969f999ec22ec41e5539f945ea7ca4 --- src/frontend/mod.rs | 8 ++++++++ src/media/mod.rs | 4 ++++ 2 files changed, 12 insertions(+) (limited to 'src') diff --git a/src/frontend/mod.rs b/src/frontend/mod.rs index 8338ac6..9ba1a69 100644 --- a/src/frontend/mod.rs +++ b/src/frontend/mod.rs @@ -250,6 +250,10 @@ pub async fn homepage( axum::http::header::CONTENT_TYPE, axum::http::HeaderValue::from_static(r#"text/html; charset="utf-8""#), ); + headers.insert( + axum::http::header::X_CONTENT_TYPE_OPTIONS, + axum::http::HeaderValue::from_static("nosniff") + ); let user = session.as_deref().map(|s| &s.me); match tokio::try_join!( @@ -365,6 +369,10 @@ pub async fn catchall( axum::http::header::CONTENT_TYPE, axum::http::HeaderValue::from_static(r#"text/html; charset="utf-8""#), ); + headers.insert( + axum::http::header::X_CONTENT_TYPE_OPTIONS, + axum::http::HeaderValue::from_static("nosniff") + ); if user.is_some() { headers.insert( axum::http::header::CACHE_CONTROL, diff --git a/src/media/mod.rs b/src/media/mod.rs index 199f05f..6f263b6 100644 --- a/src/media/mod.rs +++ b/src/media/mod.rs @@ -103,6 +103,10 @@ pub(crate) async fn serve( .unwrap_or("application/octet-stream") ).unwrap() ); + headers.insert( + axum::http::header::X_CONTENT_TYPE_OPTIONS, + axum::http::HeaderValue::from_static("nosniff") + ); if let Some(length) = metadata.length { headers.typed_insert(ContentLength(length.get().try_into().unwrap())); } -- cgit 1.4.1