Send 'nosniff' header (fixes #97)
Change-Id: If9670a66a9402da77616a362ceda8ea47aceaa75
diff --git a/Changes b/Changes
index e991976..444b03b 100755
--- a/Changes
+++ b/Changes
@@ -10,6 +10,7 @@
- Added nonce helper to CSP plugin.
- Remove no-js class in nonced inline script.
- Introduce HSTS header for https_only conf.
+ - Send 'nosniff' header.
0.40 2020-12-17
- Modernize ES and fix in-loops.
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index a6c136e..6a6a7cf 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -108,6 +108,12 @@
});
};
+ $self->hook(
+ before_dispatch => sub {
+ shift->res->headers->header('X-Content-Type-Options' => 'nosniff');
+ }
+ );
+
$conf->{proxy_host} //= 1;
# Take proxy host
diff --git a/t/page.t b/t/page.t
index 4339f4e..68e2c25 100644
--- a/t/page.t
+++ b/t/page.t
@@ -31,6 +31,7 @@
->header_like('Content-Security-Policy', qr!nonce-!)
->content_like(qr/<script nonce/)
->content_like(qr/document\.body\.classList\.remove\(\'no-js\'\);/)
+ ->header_is('X-Content-Type-Options', 'nosniff')
;
# Test additions