From c30901134654b759d06b8e5b16bf7f9608f199fc Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Wed, 21 Jun 2023 14:18:04 +0200
Subject: [PATCH] Add hardened headers to user-uploaded files

---
 config/application.rb | 4 ++++
 dist/nginx.conf       | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/config/application.rb b/config/application.rb
index 21fc7a9239..a2e32a8f90 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -161,6 +161,10 @@ module Mastodon
 
     config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time, ActiveSupport::HashWithIndifferentAccess, ActiveSupport::TimeWithZone, ActiveSupport::TimeZone]
 
+    config.public_file_server.headers = {
+      'X-Content-Type-Options' => 'nosniff',
+    }
+
     # config.paths.add File.join('app', 'api'), glob: File.join('**', '*.rb')
     # config.autoload_paths += Dir[Rails.root.join('app', 'api', '*')]
 
diff --git a/dist/nginx.conf b/dist/nginx.conf
index 7e03343680..cbcf328a6e 100644
--- a/dist/nginx.conf
+++ b/dist/nginx.conf
@@ -61,12 +61,15 @@ server {
   location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
     add_header Cache-Control "public, max-age=31536000, immutable";
     add_header Strict-Transport-Security "max-age=31536000" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
     try_files $uri @proxy;
   }
 
   location /sw.js {
     add_header Cache-Control "public, max-age=0";
     add_header Strict-Transport-Security "max-age=31536000" always;
+    add_header X-Content-Type-Options nosniff;
     try_files $uri @proxy;
   }