bmcweb: Add X-Content-Type-Options header

Because we should always be posting the correct mime type on all of our pages, add a "nosniff" flag, to improve our protection against injection attacks. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options Change-Id: I4a311948e5e157b4071effddff577c73b65d7af1 Signed-off-by: Ed Tanous <ed.tanous@intel.com>
author: Ed Tanous <ed.tanous@intel.com> 2018-12-10 13:37:44 -0800
committer: Ed Tanous <ed.tanous@intel.com> 2018-12-18 21:10:32 +0000
commit: 02db306468d8e1f2b044b616841ffa93f25c7e5d (patch)
tree: f613e4db7a546df5c7435f9275c7cf9a4c97c617 /include
parent: da7f41eaa8e20bef9d866c2e95042227249b2528 (diff)
download: bmcweb-02db306468d8e1f2b044b616841ffa93f25c7e5d.tar.gz
bmcweb-02db306468d8e1f2b044b616841ffa93f25c7e5d.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp
index 872f4aa..237438b 100644
--- a/include/security_headers_middleware.hpp
+++ b/include/security_headers_middleware.hpp
@@ -39,6 +39,7 @@ struct SecurityHeadersMiddleware
         res.addHeader("X-Content-Security-Policy", "default-src 'self'");
         res.addHeader("X-XSS-Protection", "1; "
                                           "mode=block");
+        res.addHeader("X-Content-Type-Options", "nosniff");
         res.addHeader("X-UA-Compatible", "IE=11");
 
 #ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
author	Ed Tanous <ed.tanous@intel.com>	2018-12-10 13:37:44 -0800
committer	Ed Tanous <ed.tanous@intel.com>	2018-12-18 21:10:32 +0000
commit	02db306468d8e1f2b044b616841ffa93f25c7e5d (patch)
tree	f613e4db7a546df5c7435f9275c7cf9a4c97c617 /include
parent	da7f41eaa8e20bef9d866c2e95042227249b2528 (diff)
download	bmcweb-02db306468d8e1f2b044b616841ffa93f25c7e5d.tar.gz bmcweb-02db306468d8e1f2b044b616841ffa93f25c7e5d.zip