Opened 8 years ago

Closed 8 years ago

Last modified 6 years ago

#461 closed defect (fixed)

Add X-Content-Type-Options: nosniff to default nginx config in docs

Reported by: Christopher Allan Webber Owned by: pythonsnake
Priority: major Milestone:
Component: documentation Keywords: bitesized, review
Cc: tycho, Will Kahn-Greene, Elrond Parent Tickets:

Description

We should add "X-Content-Type-Options: nosniff" to our HTTP response headers via nginx in our "default config". This will help prevent someone uploading a .txt file that the browser interprets as an HTML file, etc (which could be used to initiate an XSS attack or etc).

https://bugzilla.mozilla.org/show_bug.cgi?id=471020

We could probably add such support via:

http://wiki.nginx.org/HttpHeadersModule

Subtickets

Change History (6)

comment:1 Changed 8 years ago by Christopher Allan Webber

Cc: Elrond added

comment:2 Changed 8 years ago by pythonsnake

Owner: set to pythonsnake
Status: newassigned

comment:4 Changed 8 years ago by pythonsnake

Keywords: review added

comment:5 Changed 8 years ago by Elrond

For those not using nginx, should we add this header using paste? Or maybe using a meddleware? Just a quick thought.

comment:6 Changed 8 years ago by Christopher Allan Webber

Resolution: fixed
Status: assignedclosed

Merged!

Re: non-nginx, I wouldn't mind a meddleware/middleware solution, but think it is non-urgent. It might not help though because if someone clicks on a .txt file, it isn't served through mediagoblin anyway.

Note: See TracTickets for help on using tickets.