Commit 290f932d authored by Douwe Maan's avatar Douwe Maan Committed by Winnie Hellmann

Merge branch 'security-9-5-36099-api-responses-missing-x-content' into 'security-9-5'

(backport) Include X-Content-Type-Options (XCTO) header into API responses

See merge request gitlab/gitlabhq!2216

(cherry picked from commit 5fcb214f8527b3d58be1a833a596d01b1bf6119e)

40c6c9f4 Include X-Content-Type-Options (XCTO) header into API responses
parent fe419949
...@@ -47,7 +47,10 @@ module API ...@@ -47,7 +47,10 @@ module API
mount ::API::V3::Variables mount ::API::V3::Variables
end end
before { header['X-Frame-Options'] = 'SAMEORIGIN' } before do
header['X-Frame-Options'] = 'SAMEORIGIN'
header['X-Content-Type-Options'] = 'nosniff'
end
# The locale is set to the current user's locale when `current_user` is loaded # The locale is set to the current user's locale when `current_user` is loaded
after { Gitlab::I18n.use_default_locale } after { Gitlab::I18n.use_default_locale }
......
...@@ -50,6 +50,12 @@ describe API::Projects do ...@@ -50,6 +50,12 @@ describe API::Projects do
expect(json_response).to be_an Array expect(json_response).to be_an Array
expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id)) expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id))
end end
it 'returns the proper security headers' do
get api('/projects', current_user), filter
expect(response).to include_security_headers
end
end end
shared_examples_for 'projects response without N + 1 queries' do shared_examples_for 'projects response without N + 1 queries' do
......
RSpec::Matchers.define :include_security_headers do |expected|
match do |actual|
expect(actual.headers).to include('X-Content-Type-Options')
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment