This issue is automatically created based on existing pull request: #40679: fix: add X-Content-Type-Options nosniff header to nginx config
Description
Add the X-Content-Type-Options: nosniff security header alongside the existing X-Frame-Options header in all applicable location blocks in nginx.conf.sample.
Problem
The sample Nginx configuration sets X-Frame-Options: SAMEORIGIN in multiple location blocks to prevent clickjacking, but does not set X-Content-Type-Options: nosniff. Without this header, browsers may perform MIME type sniffing on responses, potentially interpreting files as a different content type than declared.
This can lead to security issues such as:
- A CSS file containing JavaScript being executed as script
- An uploaded image being interpreted as HTML
- Content-type confusion attacks on user-uploaded files served from
/media/
Solution
Add add_header X-Content-Type-Options "nosniff"; in every location block that already sets X-Frame-Options, including:
/setup/pub/ and /update/pub/ (admin setup/update assets)/pub/ (public assets)/static/ (versioned static assets, compressed files, fallback)/media/ (media assets, compressed files, fallback)
This follows the same pattern used for X-Frame-Options — applied per-location rather than globally, matching Nginx's add_header inheritance behavior (child blocks don't inherit parent add_header directives).
References
Files Changed
⭐ Support my work
Do you like the fix? Remember to react with "👍🏻" to get it merged faster,
Then Sponsor me on Github so I can spend more time on fixing issues like this one.
Learn more at https://github.com/sponsors/lbajsarowicz
This issue is automatically created based on existing pull request: #40679: fix: add X-Content-Type-Options nosniff header to nginx config
Description
Add the
X-Content-Type-Options: nosniffsecurity header alongside the existingX-Frame-Optionsheader in all applicable location blocks innginx.conf.sample.Problem
The sample Nginx configuration sets
X-Frame-Options: SAMEORIGINin multiple location blocks to prevent clickjacking, but does not setX-Content-Type-Options: nosniff. Without this header, browsers may perform MIME type sniffing on responses, potentially interpreting files as a different content type than declared.This can lead to security issues such as:
/media/Solution
Add
add_header X-Content-Type-Options "nosniff";in every location block that already setsX-Frame-Options, including:/setup/pub/and/update/pub/(admin setup/update assets)/pub/(public assets)/static/(versioned static assets, compressed files, fallback)/media/(media assets, compressed files, fallback)This follows the same pattern used for
X-Frame-Options— applied per-location rather than globally, matching Nginx'sadd_headerinheritance behavior (child blocks don't inherit parentadd_headerdirectives).References
Files Changed
nginx.conf.sample⭐ Support my work
Do you like the fix? Remember to react with "👍🏻" to get it merged faster,
Then Sponsor me on Github so I can spend more time on fixing issues like this one.
Learn more at https://github.com/sponsors/lbajsarowicz