Add hardened headers to user-uploaded files

2023-06-21 14:18:04 +02:00 · 2023-06-21 14:18:04 +02:00 · c309011346
commit c309011346
parent 6b538225af
2 changed files with 7 additions and 0 deletions
--- a/config/application.rb
+++ b/config/application.rb
@ -161,6 +161,10 @@ module Mastodon

    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time, ActiveSupport::HashWithIndifferentAccess, ActiveSupport::TimeWithZone, ActiveSupport::TimeZone]

+    config.public_file_server.headers = {
+      'X-Content-Type-Options' => 'nosniff',
+    }
+
    # config.paths.add File.join('app', 'api'), glob: File.join('**', '*.rb')
    # config.autoload_paths += Dir[Rails.root.join('app', 'api', '*')]