Add hardened headers to user-uploaded files (#25756)

2024-11-09 09:12:19 +00:00 · 2023-06-21 14:18:04 +02:00 · 2023-06-21 14:18:04 +02:00 · f626e0d228
parent 35830cd8cc
commit f626e0d228
2 changed files with 6 additions and 0 deletions
--- a/config/application.rb
+++ b/config/application.rb
@ -160,6 +160,10 @@ module Mastodon
      end
    end

+    config.public_file_server.headers = {
+      'X-Content-Type-Options' => 'nosniff',
+    }
+
    # config.paths.add File.join('app', 'api'), glob: File.join('**', '*.rb')
    # config.autoload_paths += Dir[Rails.root.join('app', 'api', '*')]

--- a/dist/nginx.conf
+++ b/dist/nginx.conf
@ -109,6 +109,8 @@ server {
  location ~ ^/system/ {
    add_header Cache-Control "public, max-age=2419200, immutable";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header X-Content-Type-Options nosniff;
+    add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
    try_files $uri =404;
  }