commit | 02db306468d8e1f2b044b616841ffa93f25c7e5d | [log] [tgz] |
---|---|---|
author | Ed Tanous <ed.tanous@intel.com> | Mon Dec 10 13:37:44 2018 -0800 |
committer | Ed Tanous <ed.tanous@intel.com> | Tue Dec 18 21:10:32 2018 +0000 |
tree | f613e4db7a546df5c7435f9275c7cf9a4c97c617 | |
parent | da7f41eaa8e20bef9d866c2e95042227249b2528 [diff] |
bmcweb: Add X-Content-Type-Options header Because we should always be posting the correct mime type on all of our pages, add a "nosniff" flag, to improve our protection against injection attacks. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options Change-Id: I4a311948e5e157b4071effddff577c73b65d7af1 Signed-off-by: Ed Tanous <ed.tanous@intel.com>
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index 872f4aa..237438b 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp
@@ -39,6 +39,7 @@ res.addHeader("X-Content-Security-Policy", "default-src 'self'"); res.addHeader("X-XSS-Protection", "1; " "mode=block"); + res.addHeader("X-Content-Type-Options", "nosniff"); res.addHeader("X-UA-Compatible", "IE=11"); #ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION