security: add X-Content-Type-Options: nosniff to block MIME-sniffing (#6344)

coder/security#12
2025-07-03 16:13:58 +00:00 · 2023-02-25 11:18:45 -06:00
parent cae8b88f60
commit d613ba9987
1 changed files with 10 additions and 0 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -319,6 +319,16 @@ func New(options *Options) *API {
 				next.ServeHTTP(w, r)
 			})
 		},
+		// This header stops a browser from trying to MIME-sniff the content type and
+		// forces it to stick with the declared content-type. This is the only valid
+		// value for this header.
+		// See: https://github.com/coder/security/issues/12
+		func(next http.Handler) http.Handler {
+			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Add("X-Content-Type-Options", "nosniff")
+				next.ServeHTTP(w, r)
+			})
+		},
 		httpmw.CSRF(options.SecureAuthCookie),
 	)