From c30901134654b759d06b8e5b16bf7f9608f199fc Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 21 Jun 2023 14:18:04 +0200 Subject: [PATCH] Add hardened headers to user-uploaded files --- config/application.rb | 4 ++++ dist/nginx.conf | 3 +++ 2 files changed, 7 insertions(+) diff --git a/config/application.rb b/config/application.rb index 21fc7a923..a2e32a8f9 100644 --- a/config/application.rb +++ b/config/application.rb @@ -161,6 +161,10 @@ module Mastodon config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time, ActiveSupport::HashWithIndifferentAccess, ActiveSupport::TimeWithZone, ActiveSupport::TimeZone] + config.public_file_server.headers = { + 'X-Content-Type-Options' => 'nosniff', + } + # config.paths.add File.join('app', 'api'), glob: File.join('**', '*.rb') # config.autoload_paths += Dir[Rails.root.join('app', 'api', '*')] diff --git a/dist/nginx.conf b/dist/nginx.conf index 7e0334368..cbcf328a6 100644 --- a/dist/nginx.conf +++ b/dist/nginx.conf @@ -61,12 +61,15 @@ server { location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { add_header Cache-Control "public, max-age=31536000, immutable"; add_header Strict-Transport-Security "max-age=31536000" always; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "default-src 'none'; form-action 'none'"; try_files $uri @proxy; } location /sw.js { add_header Cache-Control "public, max-age=0"; add_header Strict-Transport-Security "max-age=31536000" always; + add_header X-Content-Type-Options nosniff; try_files $uri @proxy; }