From 35db07d0159c520a6b3c969ac52033593914fadd Mon Sep 17 00:00:00 2001 From: Henrique Dias Date: Wed, 3 Jun 2026 12:21:23 +0200 Subject: [PATCH] fix: set X-Content-Type-Options: nosniff on raw file responses Prevents browsers from MIME-sniffing uploaded files into a renderable type. --- http/raw.go | 1 + 1 file changed, 1 insertion(+) diff --git a/http/raw.go b/http/raw.go index b057e95e..f0b12455 100644 --- a/http/raw.go +++ b/http/raw.go @@ -225,6 +225,7 @@ func rawFileHandler(w http.ResponseWriter, r *http.Request, file *files.FileInfo setContentDisposition(w, r, file) w.Header().Add("Content-Security-Policy", `script-src 'none';`) + w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("Cache-Control", "private") http.ServeContent(w, r, file.Name, file.ModTime, fd) return 0, nil