From 2430caaa97d75724f2757e80a48d644648ef3a3d Mon Sep 17 00:00:00 2001 From: Jonas Bardino Date: Wed, 2 Jul 2025 09:52:35 +0200 Subject: [PATCH] Add `X-Content-Type-Options` 'nosniff'` header in apache to harden against XSS attacks sneaking in scripts or stylesheets from arbitrary files. --- mig/install/apache-MiG-template.conf | 4 ++++ tests/fixture/confs-stdlocal/MiG.conf | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/mig/install/apache-MiG-template.conf b/mig/install/apache-MiG-template.conf index c3f9a4a1b..685765631 100644 --- a/mig/install/apache-MiG-template.conf +++ b/mig/install/apache-MiG-template.conf @@ -169,6 +169,10 @@ Alias /status-events.json "__MIG_STATE__/wwwpublic/status-events.json" # recommended by W3C and security scans. Header always set Referrer-Policy "strict-origin-when-cross-origin" + # Set X-Content-Type-Options to harden for XSS abusing script or styles as + # recommended by W3C and security scans. + Header always set X-Content-Type-Options: "nosniff" + # Force IE browsers to exit compatibility mode even if enabled for all # intranet sites, which is the standard policy in some places. diff --git a/tests/fixture/confs-stdlocal/MiG.conf b/tests/fixture/confs-stdlocal/MiG.conf index 774cede66..7443b777d 100644 --- a/tests/fixture/confs-stdlocal/MiG.conf +++ b/tests/fixture/confs-stdlocal/MiG.conf @@ -169,6 +169,10 @@ Alias /status-events.json "/home/mig/state/wwwpublic/status-events.json" # recommended by W3C and security scans. Header always set Referrer-Policy "strict-origin-when-cross-origin" + # Set X-Content-Type-Options to harden for XSS abusing script or styles as + # recommended by W3C and security scans. + Header always set X-Content-Type-Options: "nosniff" + # Force IE browsers to exit compatibility mode even if enabled for all # intranet sites, which is the standard policy in some places.