Skip to content

Add X-Content-Type-Options: nosniff header

Dominic Couture requested to merge dcouture-master-patch-54390 into master

What does this MR do?

It adds a X-Content-Type-Options: nosniff header to prevent content sniffing vulnerabilities. In reality we're not exploitable on that path given there's no user content, but it shows up in security scanners and seemed like an easy fix.

Related issues

Closes #5963 (closed)
Related to https://gitlab.com/gitlab-org/gitlab/-/issues/296965

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Test plan

Requests to /assets/* should have the X-Content-Type-Options: nosniff header. No other noticeable differences are expected.

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
  • trigger-package has a green pipeline running against latest commit

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for the GitLab Chart opened
Edited by Dominic Couture

Merge request reports

Loading