Disable browser MIME confusion attacks via content-type sniffing

willnorris · Oct 16, 2020 · c08b3c5 · c08b3c5
1 parent c6206ea
commit c08b3c5
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/imageproxy.go b/imageproxy.go
@@ -255,6 +255,9 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 	// Add a Content-Security-Policy to prevent stored-XSS attacks via SVG files
 	w.Header().Set("Content-Security-Policy", "script-src 'none'")
 
+	// Disable Content-Type sniffing
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+
 	w.WriteHeader(resp.StatusCode)
 	if _, err := io.Copy(w, resp.Body); err != nil {
 		p.logf("error copying response: %v", err)