From 74be4295f4d11ec163654cad66cc1e6626751f86 Mon Sep 17 00:00:00 2001
From: Kyle Carberry <kyle@carberry.com>
Date: Sat, 25 Feb 2023 16:48:26 +0000
Subject: [PATCH] security: add `X-Content-Type-Options: nosniff` to block
 MIME-sniffing

coder/security#12
---
 coderd/coderd.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/coderd/coderd.go b/coderd/coderd.go
index 34f4f61f5fdf3..bc8d39bb587fd 100644
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@@ -319,6 +319,16 @@ func New(options *Options) *API {
 				next.ServeHTTP(w, r)
 			})
 		},
+		// This header stops a browser from trying to MIME-sniff the content type and
+		// forces it to stick with the declared content-type. This is the only valid
+		// value for this header.
+		// See: https://github.com/coder/security/issues/12
+		func(next http.Handler) http.Handler {
+			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Add("X-Content-Type-Options", "nosniff")
+				next.ServeHTTP(w, r)
+			})
+		},
 		httpmw.CSRF(options.SecureAuthCookie),
 	)