[FIX] Set x-content-type-options: nosniff header (#16232)

RocketChat · May 30, 2020 · b520907 · b520907
1 parent 6737956
commit b520907
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/app/cors/server/cors.js b/app/cors/server/cors.js
@@ -54,6 +54,9 @@ WebApp.rawConnectHandlers.use(function(req, res, next) {
 	// XSS Protection for old browsers (IE)
 	res.setHeader('X-XSS-Protection', '1');
 
+	// X-Content-Type-Options header to prevent MIME Sniffing
+	res.setHeader('X-Content-Type-Options', 'nosniff');
+
 	if (settings.get('Iframe_Restrict_Access')) {
 		res.setHeader('X-Frame-Options', settings.get('Iframe_X_Frame_Options'));
 	}