From a9b41957325a4150e00eb1ff93406f24f48f8e6a Mon Sep 17 00:00:00 2001 From: Sebastian Firsching <56029682+sebastian-firsching@users.noreply.github.com> Date: Thu, 20 Feb 2020 11:09:29 +0100 Subject: [PATCH] Add x-content-type-options header to fileStreamingUtil (#934) * Add x-content-type-options header to fileStreamingUtil Signed-off-by: Sebastian Firsching * Add comment why the x-content-type-options header has to be set Signed-off-by: Sebastian Firsching --- .../java/org/eclipse/hawkbit/rest/util/FileStreamingUtil.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hawkbit-rest/hawkbit-rest-core/src/main/java/org/eclipse/hawkbit/rest/util/FileStreamingUtil.java b/hawkbit-rest/hawkbit-rest-core/src/main/java/org/eclipse/hawkbit/rest/util/FileStreamingUtil.java index e56518edc..98ea2454a 100644 --- a/hawkbit-rest/hawkbit-rest-core/src/main/java/org/eclipse/hawkbit/rest/util/FileStreamingUtil.java +++ b/hawkbit-rest/hawkbit-rest-core/src/main/java/org/eclipse/hawkbit/rest/util/FileStreamingUtil.java @@ -131,6 +131,10 @@ public final class FileStreamingUtil { response.setHeader(HttpHeaders.CONTENT_DISPOSITION, "attachment;filename=" + filename); response.setHeader(HttpHeaders.ETAG, etag); response.setHeader(HttpHeaders.ACCEPT_RANGES, "bytes"); + // set the x-content-type options header to prevent browsers from doing + // MIME-sniffing when downloading an artifact, as this could cause a + // security vulnerability + response.setHeader(com.google.common.net.HttpHeaders.X_CONTENT_TYPE_OPTIONS, "nosniff"); if (lastModified > 0) { response.setDateHeader(HttpHeaders.LAST_MODIFIED, lastModified); }