fix: set X-Content-Type-Options: nosniff on raw file responses

Prevents browsers from MIME-sniffing uploaded files into a renderable type.
This commit is contained in:
Henrique Dias 2026-06-03 12:21:23 +02:00
parent 19514367ad
commit 35db07d015
No known key found for this signature in database

View file

@ -225,6 +225,7 @@ func rawFileHandler(w http.ResponseWriter, r *http.Request, file *files.FileInfo
setContentDisposition(w, r, file)
w.Header().Add("Content-Security-Policy", `script-src 'none';`)
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Cache-Control", "private")
http.ServeContent(w, r, file.Name, file.ModTime, fd)
return 0, nil