feat(security): set X-Content-Type-Options: nosniff by default (#37354)

Fixes #37316. --------- Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com> Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-04-24 04:21:34 -07:00
parent 1483291a87
commit 6826321570
7 changed files with 45 additions and 26 deletions
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@@ -16,9 +16,11 @@ import (
 // Security settings
 var Security = struct {
 	// TODO: move more settings to this struct in future
-	XFrameOptions string
+	XFrameOptions       string
+	XContentTypeOptions string
 }{
-	XFrameOptions: "SAMEORIGIN",
+	XFrameOptions:       "SAMEORIGIN",
+	XContentTypeOptions: "nosniff",
 }

 var (
@@ -154,6 +156,8 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 		Security.XFrameOptions = rootCfg.Section("cors").Key("X_FRAME_OPTIONS").MustString(Security.XFrameOptions)
 	}

+	Security.XContentTypeOptions = sec.Key("X_CONTENT_TYPE_OPTIONS").MustString(Security.XContentTypeOptions)
+
 	twoFactorAuth := sec.Key("TWO_FACTOR_AUTH").String()
 	switch twoFactorAuth {
 	case "":