From b520907ec1c3e2065b635a9d0859dced86aedf1a Mon Sep 17 00:00:00 2001
From: Aviral Gangwar <aviralgangwar24@gmail.com>
Date: Sun, 31 May 2020 02:04:50 +0530
Subject: [PATCH] [FIX] Set `x-content-type-options: nosniff` header (#16232)

---
 app/cors/server/cors.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/cors/server/cors.js b/app/cors/server/cors.js
index 9c6d8eb31803..1022c1edcb87 100644
--- a/app/cors/server/cors.js
+++ b/app/cors/server/cors.js
@@ -54,6 +54,9 @@ WebApp.rawConnectHandlers.use(function(req, res, next) {
 	// XSS Protection for old browsers (IE)
 	res.setHeader('X-XSS-Protection', '1');
 
+	// X-Content-Type-Options header to prevent MIME Sniffing
+	res.setHeader('X-Content-Type-Options', 'nosniff');
+
 	if (settings.get('Iframe_Restrict_Access')) {
 		res.setHeader('X-Frame-Options', settings.get('Iframe_X_Frame_Options'));
 	}