Skip to content

[Issue] fix: add X-Content-Type-Options nosniff header to nginx config #40775

@m2-assistant

Description

@m2-assistant

This issue is automatically created based on existing pull request: #40679: fix: add X-Content-Type-Options nosniff header to nginx config


Description

Add the X-Content-Type-Options: nosniff security header alongside the existing X-Frame-Options header in all applicable location blocks in nginx.conf.sample.

Problem

The sample Nginx configuration sets X-Frame-Options: SAMEORIGIN in multiple location blocks to prevent clickjacking, but does not set X-Content-Type-Options: nosniff. Without this header, browsers may perform MIME type sniffing on responses, potentially interpreting files as a different content type than declared.

This can lead to security issues such as:

  • A CSS file containing JavaScript being executed as script
  • An uploaded image being interpreted as HTML
  • Content-type confusion attacks on user-uploaded files served from /media/

Solution

Add add_header X-Content-Type-Options "nosniff"; in every location block that already sets X-Frame-Options, including:

  • /setup/pub/ and /update/pub/ (admin setup/update assets)
  • /pub/ (public assets)
  • /static/ (versioned static assets, compressed files, fallback)
  • /media/ (media assets, compressed files, fallback)

This follows the same pattern used for X-Frame-Options — applied per-location rather than globally, matching Nginx's add_header inheritance behavior (child blocks don't inherit parent add_header directives).

References

Files Changed

  • nginx.conf.sample

⭐ Support my work

Do you like the fix? Remember to react with "👍🏻" to get it merged faster,
Then Sponsor me on Github so I can spend more time on fixing issues like this one.

Learn more at https://github.com/sponsors/lbajsarowicz

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue: ready for confirmationReported on 2.4.xIndicates original Magento version for the Issue report.Triage: Dev.ExperienceIssue related to Developer Experience and needs help with Triage to Confirm or Reject it

    Type

    No type

    Projects

    Status

    Ready for Confirmation

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions