[MEN-5111] Implement X-Content-Type-Options: nosniff on all requests - Northern.tech AS

XML

Word

Printable

Details

Type: Bug
Status: Done
Priority: (None)
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.2.0
Labels:
- Backend
- SaaS

Sprint:
MEN Sprint 146
Story Points:
2
Backlog:
yes
Days in progress:
0

Description

In the responses of the application, the X-Content-Type-Options header was not identified.
This header protects against attacks based on the so-called MIME-sniffing or guessing the MIME type of a response by web browsers based on the content of the response instead of Content-Type header value. This may lead to the browser being forced to load the resource as HTML, even if its type is e.g. application/json. As a result, an XSS attack may be performed.

More information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

A header should be added in all server responses:

X-Content-Type-Options: nosniff

Attachments

Activity

People

Assignee:: Manuel Zedel

Reporter:: Fabio Tranchitella

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 26/Sep/21 8:10 AM

Updated:: 28/Sep/21 11:35 AM

Resolved:: 28/Sep/21 11:18 AM