Add hardened headers to user-uploaded files (#25756)
parent
fac2c9eb7d
commit
9b6c0cac7d
|
@ -109,6 +109,8 @@ server {
|
||||||
location ~ ^/system/ {
|
location ~ ^/system/ {
|
||||||
add_header Cache-Control "public, max-age=2419200, immutable";
|
add_header Cache-Control "public, max-age=2419200, immutable";
|
||||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
|
||||||
try_files $uri =404;
|
try_files $uri =404;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -32,6 +32,11 @@ class PublicFileServerMiddleware
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Override the default CSP header set by the CSP middleware
|
||||||
|
headers['Content-Security-Policy'] = "default-src 'none'; form-action 'none'" if request_path.start_with?(paperclip_root_url)
|
||||||
|
|
||||||
|
headers['X-Content-Type-Options'] = 'nosniff'
|
||||||
|
|
||||||
[status, headers, response]
|
[status, headers, response]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Reference in New Issue