#461 closed defect (fixed)
Add X-Content-Type-Options: nosniff to default nginx config in docs
| Reported by: | Christopher Allan Webber | Owned by: | pythonsnake |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | documentation | Keywords: | bitesized, review |
| Cc: | tycho, Will Kahn-Greene, Elrond | Parent Tickets: |
Description
We should add "X-Content-Type-Options: nosniff" to our HTTP response headers via nginx in our "default config". This will help prevent someone uploading a .txt file that the browser interprets as an HTML file, etc (which could be used to initiate an XSS attack or etc).
https://bugzilla.mozilla.org/show_bug.cgi?id=471020
We could probably add such support via:
Change History (6)
comment:1 by , 12 years ago
| Cc: | added |
|---|
comment:2 by , 12 years ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:3 by , 12 years ago
comment:4 by , 12 years ago
| Keywords: | review added |
|---|
comment:5 by , 12 years ago
For those not using nginx, should we add this header using paste? Or maybe using a meddleware? Just a quick thought.
comment:6 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Merged!
Re: non-nginx, I wouldn't mind a meddleware/middleware solution, but think it is non-urgent. It might not help though because if someone clicks on a .txt file, it isn't served through mediagoblin anyway.
Note:
See TracTickets
for help on using tickets.
Done: https://github.com/pythonsnake/MediaDwarf/tree/461_nosniff