Send 'nosniff' header (fixes #97)

Change-Id: If9670a66a9402da77616a362ceda8ea47aceaa75
diff --git a/Changes b/Changes
index e991976..444b03b 100755
--- a/Changes
+++ b/Changes
@@ -10,6 +10,7 @@
         - Added nonce helper to CSP plugin.
         - Remove no-js class in nonced inline script.
         - Introduce HSTS header for https_only conf.
+        - Send 'nosniff' header.
 
 0.40 2020-12-17
         - Modernize ES and fix in-loops.
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index a6c136e..6a6a7cf 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -108,6 +108,12 @@
       });
   };
 
+  $self->hook(
+    before_dispatch => sub {
+      shift->res->headers->header('X-Content-Type-Options' => 'nosniff');
+    }
+  );
+
   $conf->{proxy_host} //= 1;
 
   # Take proxy host
diff --git a/t/page.t b/t/page.t
index 4339f4e..68e2c25 100644
--- a/t/page.t
+++ b/t/page.t
@@ -31,6 +31,7 @@
   ->header_like('Content-Security-Policy', qr!nonce-!)
   ->content_like(qr/<script nonce/)
   ->content_like(qr/document\.body\.classList\.remove\(\'no-js\'\);/)
+  ->header_is('X-Content-Type-Options', 'nosniff')
   ;
 
 # Test additions