when recently switched my first application to use rack-protection I realized that the only difference is that
since security issues are always on move my understanding of things is limited. butwhen I looked into the code
then it shows that the header is only set with html content.
finally I looked how google handles such isolated image url (see response headers):
and yes they do send the nosniff option !!
it is no good argument: just do it as google does. but adding an extra header does not harm either and it feels to be on the save side of things.
again looking at the logic of code, it looks like with option[;nosniff] to be false there will be no x-xss-protection ! again my same argument just send those headers. maybe the x-xss-protection should be able to be switched off via option[;xss-protection] or via option[:xss_mode] == false or nil
I can prepare a pull request if there are no objections to "be secure" by default and have more symmetric options to turn off either of those headers.
rework protection headers, fixes #40
thanx for the fix. hope I see a release before my current project goes public ;)