Opened 12 years ago

Closed 11 years ago

Last modified 9 years ago

#461 closed defect (fixed)

Add X-Content-Type-Options: nosniff to default nginx config in docs

Reported by: Christopher Allan Webber Owned by: pythonsnake
Priority: major Milestone:
Component: documentation Keywords: bitesized, review
Cc: tycho, Will Kahn-Greene, Elrond Parent Tickets:


We should add "X-Content-Type-Options: nosniff" to our HTTP response headers via nginx in our "default config". This will help prevent someone uploading a .txt file that the browser interprets as an HTML file, etc (which could be used to initiate an XSS attack or etc).

We could probably add such support via:

Change History (6)

comment:1 by Christopher Allan Webber, 12 years ago

Cc: Elrond added

comment:2 by pythonsnake, 11 years ago

Owner: set to pythonsnake
Status: newassigned

comment:4 by pythonsnake, 11 years ago

Keywords: review added

comment:5 by Elrond, 11 years ago

For those not using nginx, should we add this header using paste? Or maybe using a meddleware? Just a quick thought.

comment:6 by Christopher Allan Webber, 11 years ago

Resolution: fixed
Status: assignedclosed


Re: non-nginx, I wouldn't mind a meddleware/middleware solution, but think it is non-urgent. It might not help though because if someone clicks on a .txt file, it isn't served through mediagoblin anyway.

Note: See TracTickets for help on using tickets.