add X-Content-Type-Options: nosniff

9 years ago · 71d5f51ae6
2 changed files with 5 additions and 2 deletions
--- a/csp.go
+++ b/csp.go
@ -7,6 +7,7 @@ import (
 const (
 	cspHeader                = "Content-Security-Policy"
 	frameOptionsHeader       = "X-Frame-Options"
+	contentTypeOptionsHeader = "X-Content-Type-Options"
 )

 type csp struct {
@ -26,6 +27,7 @@ func (c csp) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}

 	w.Header().Set(frameOptionsHeader, c.opts.frame)
+	w.Header().Set(contentTypeOptionsHeader, "nosniff")

 	c.h.ServeHTTP(w, r)
 }
--- a/csp_test.go
+++ b/csp_test.go
@ -11,6 +11,7 @@ import (
 var testCSPHeaders = map[string]string{
 	"Content-Security-Policy": "default-src 'none'; style-src 'self';",
 	"X-Frame-Options":         "SAMEORIGIN",
+	"X-Content-Type-Options":  "nosniff",
 }

 func TestContentSecurityPolicy(t *testing.T) {