Add hardened headers to user-uploaded files (#25756)

mastodon · Jul 6, 2023 · f626e0d · f626e0d
1 parent 35830cd
commit f626e0d
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/config/application.rb b/config/application.rb
@@ -160,6 +160,10 @@ class Application < Rails::Application
       end
     end
 
+    config.public_file_server.headers = {
+      'X-Content-Type-Options' => 'nosniff',
+    }
+
     # config.paths.add File.join('app', 'api'), glob: File.join('**', '*.rb')
     # config.autoload_paths += Dir[Rails.root.join('app', 'api', '*')]
 

diff --git a/dist/nginx.conf b/dist/nginx.conf
@@ -109,6 +109,8 @@ server {
   location ~ ^/system/ {
     add_header Cache-Control "public, max-age=2419200, immutable";
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header X-Content-Type-Options nosniff;
+    add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
     try_files $uri =404;
   }