From fa705f6466f2d7cef3e407d49de3c47ff4aeafc7 Mon Sep 17 00:00:00 2001
From: Jeff Bradberry <jeff.bradberry@gmail.com>
Date: Mon, 25 Apr 2022 14:00:07 -0400
Subject: [PATCH] Add the X-Content-Type-Options nosniff header

---
 roles/installer/templates/config.yaml.j2 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/installer/templates/config.yaml.j2 b/roles/installer/templates/config.yaml.j2
index 6fb5b42d..bb2dfae7 100644
--- a/roles/installer/templates/config.yaml.j2
+++ b/roles/installer/templates/config.yaml.j2
@@ -176,6 +176,8 @@ data:
     
             # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
             add_header X-Frame-Options "DENY";
+            # Protect against MIME content sniffing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+            add_header X-Content-Type-Options nosniff;
     
             location /nginx_status {
                 stub_status on;
@@ -229,6 +231,7 @@ data:
                 add_header Strict-Transport-Security max-age=15768000;
                 # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
                 add_header X-Frame-Options "DENY";
+                add_header X-Content-Type-Options nosniff;
                 add_header Cache-Control "no-cache, no-store, must-revalidate";
                 add_header Expires "0";
                 add_header Pragma "no-cache";