[Issue] fix: add X-Content-Type-Options nosniff header to Apache htaccess

[m2-assistant]

This issue is automatically created based on existing pull request: #40682: fix: add X-Content-Type-Options nosniff header to Apache htaccess

---

Description

Add the X-Content-Type-Options: nosniff security header in pub/.htaccess alongside the existing X-Frame-Options header.

Problem

The .htaccess configuration sets X-Frame-Options: SAMEORIGIN to prevent clickjacking but does not set X-Content-Type-Options: nosniff. Without this header, browsers may MIME-sniff responses and interpret files as a different content type than declared, which can lead to:

• Uploaded files in /media/ being interpreted as executable HTML/JavaScript
• CSS files containing JavaScript being executed as script
• Content-type confusion attacks

Solution

Add Header set X-Content-Type-Options "nosniff" in the mod_headers block of pub/.htaccess. This is set at the top-level .htaccess so it applies to all responses served through Apache.

References

• MDN: X-Content-Type-Options
• OWASP Secure Headers Project

Files Changed

• pub/.htaccess

⭐ Support my work

Do you like the fix? Remember to react with "👍🏻" to get it merged faster,
Then Sponsor me on Github so I can spend more time on fixing issues like this one.

Learn more at https://github.com/sponsors/lbajsarowicz

[github-jira-sync-bot]

✅ Jira issue https://jira.corp.adobe.com/browse/AC-16969 is successfully created for this GitHub issue.