Set nosniff header on assets requests
What does this MR do and why?
Related to https://gitlab.com/gitlab-org/gitlab/-/issues/296965
It sets the appropriate HTTP header to make sure browsers don't do any MIME-sniffing. It can lead to security issues (XSS) when user-controlled content that wasn't intended to be HTML is "sniffed" as HTML. This shouldn't happen in GitLab, however some scanners complain about the lack of header.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
- Visit GitLab and observe in the dev tools all the
/assets/*
requests - Observe that they have the
X-Content-Type-Options: nosniff
header
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Dominic Couture