Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-5111

Implement X-Content-Type-Options: nosniff on all requests

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: (None)
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.2.0
    • Labels:
    • Sprint:
      MEN Sprint 146
    • Story Points:
      2
    • Backlog:
      yes
    • Days in progress:
      0

      Description

      In the responses of the application, the X-Content-Type-Options header was not identified.
      This header protects against attacks based on the so-called MIME-sniffing or guessing the MIME type of a response by web browsers based on the content of the response instead of Content-Type header value. This may lead to the browser being forced to load the resource as HTML, even if its type is e.g. application/json. As a result, an XSS attack may be performed.

      More information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

      A header should be added in all server responses:

      X-Content-Type-Options: nosniff

       

        Attachments

          Activity

            People

            Assignee:
            mzedel Manuel Zedel
            Reporter:
            tranchitella Fabio Tranchitella
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: