Add hardened headers to user-uploaded files (#25756)

This commit is contained in:
Claire 2023-06-21 14:18:04 +02:00
parent 35830cd8cc
commit f626e0d228
2 changed files with 6 additions and 0 deletions

View file

@ -160,6 +160,10 @@ module Mastodon
end
end
config.public_file_server.headers = {
'X-Content-Type-Options' => 'nosniff',
}
# config.paths.add File.join('app', 'api'), glob: File.join('**', '*.rb')
# config.autoload_paths += Dir[Rails.root.join('app', 'api', '*')]

2
dist/nginx.conf vendored
View file

@ -109,6 +109,8 @@ server {
location ~ ^/system/ {
add_header Cache-Control "public, max-age=2419200, immutable";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
try_files $uri =404;
}