From f626e0d22892d9914402741d90ef670410211fcb Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 21 Jun 2023 14:18:04 +0200 Subject: [PATCH] Add hardened headers to user-uploaded files (#25756) --- config/application.rb | 4 ++++ dist/nginx.conf | 2 ++ 2 files changed, 6 insertions(+) diff --git a/config/application.rb b/config/application.rb index 720ea51ec1..e5ddfa0e1c 100644 --- a/config/application.rb +++ b/config/application.rb @@ -160,6 +160,10 @@ module Mastodon end end + config.public_file_server.headers = { + 'X-Content-Type-Options' => 'nosniff', + } + # config.paths.add File.join('app', 'api'), glob: File.join('**', '*.rb') # config.autoload_paths += Dir[Rails.root.join('app', 'api', '*')] diff --git a/dist/nginx.conf b/dist/nginx.conf index 5bc960e256..b59446403b 100644 --- a/dist/nginx.conf +++ b/dist/nginx.conf @@ -109,6 +109,8 @@ server { location ~ ^/system/ { add_header Cache-Control "public, max-age=2419200, immutable"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "default-src 'none'; form-action 'none'"; try_files $uri =404; }