diff options
| author | Claire <claire.github-309c@sitedethib.com> | 2023-07-06 14:31:37 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-06 14:31:37 +0200 |
| commit | fed9cbfd2ba8db8bffb03f554c24d83b6f8aa059 (patch) | |
| tree | 67cfa95286c5d8197adb72c6aeced355a40a8e72 | |
| parent | 000b8358034106c63fc69f4deeac8a6fb7b51f92 (diff) | |
Add hardened headers to user-uploaded files (#25756)
| -rw-r--r-- | dist/nginx.conf | 2 | ||||
| -rw-r--r-- | lib/public_file_server_middleware.rb | 5 |
2 files changed, 7 insertions, 0 deletions
diff --git a/dist/nginx.conf b/dist/nginx.conf index bed4bd3db9f..fc68e9a6d12 100644 --- a/dist/nginx.conf +++ b/dist/nginx.conf @@ -109,6 +109,8 @@ server { location ~ ^/system/ { add_header Cache-Control "public, max-age=2419200, immutable"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "default-src 'none'; form-action 'none'"; try_files $uri =404; } diff --git a/lib/public_file_server_middleware.rb b/lib/public_file_server_middleware.rb index 3799230a22d..7e02e37a084 100644 --- a/lib/public_file_server_middleware.rb +++ b/lib/public_file_server_middleware.rb @@ -32,6 +32,11 @@ class PublicFileServerMiddleware end end + # Override the default CSP header set by the CSP middleware + headers['Content-Security-Policy'] = "default-src 'none'; form-action 'none'" if request_path.start_with?(paperclip_root_url) + + headers['X-Content-Type-Options'] = 'nosniff' + [status, headers, response] end |