From 71d5f51ae6d4af722f0932c3374dc82ba5bb74bd Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sun, 4 Oct 2015 15:18:22 -0700
Subject: [PATCH] add X-Content-Type-Options: nosniff

---
 csp.go      | 6 ++++--
 csp_test.go | 1 +
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/csp.go b/csp.go
index ac68d1a..242619e 100644
--- a/csp.go
+++ b/csp.go
@@ -5,8 +5,9 @@ import (
 )
 
 const (
-	cspHeader          = "Content-Security-Policy"
-	frameOptionsHeader = "X-Frame-Options"
+	cspHeader                = "Content-Security-Policy"
+	frameOptionsHeader       = "X-Frame-Options"
+	contentTypeOptionsHeader = "X-Content-Type-Options"
 )
 
 type csp struct {
@@ -26,6 +27,7 @@ func (c csp) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Set(frameOptionsHeader, c.opts.frame)
+	w.Header().Set(contentTypeOptionsHeader, "nosniff")
 
 	c.h.ServeHTTP(w, r)
 }
diff --git a/csp_test.go b/csp_test.go
index ae4c6db..636272b 100644
--- a/csp_test.go
+++ b/csp_test.go
@@ -11,6 +11,7 @@ import (
 var testCSPHeaders = map[string]string{
 	"Content-Security-Policy": "default-src 'none'; style-src 'self';",
 	"X-Frame-Options":         "SAMEORIGIN",
+	"X-Content-Type-Options":  "nosniff",
 }
 
 func TestContentSecurityPolicy(t *testing.T) {