Merge branch '36099-api-responses-missing-x-content-type-options-header' into '10-1-stable'

Include X-Content-Type-Options (XCTO) header into API responses

See merge request gitlab/gitlabhq!2211

lib/api/api.rb

@@ -57,7 +57,10 @@ module API
       mount ::API::V3::Variables
     end
 
-    before { header['X-Frame-Options'] = 'SAMEORIGIN' }
+    before do
+      header['X-Frame-Options'] = 'SAMEORIGIN'
+      header['X-Content-Type-Options'] = 'nosniff'
+    end
 
     # The locale is set to the current user's locale when `current_user` is loaded
     after { Gitlab::I18n.use_default_locale }

spec/requests/api/projects_spec.rb

@@ -50,6 +50,12 @@ describe API::Projects do
         expect(json_response).to be_an Array
         expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id))
       end
+
+      it 'returns the proper security headers' do
+        get api('/projects', current_user), filter
+
+        expect(response).to include_security_headers
+      end
     end
 
     shared_examples_for 'projects response without N + 1 queries' do

spec/support/matchers/security_header_matcher.rb

@@ -0,0 +1,5 @@
+RSpec::Matchers.define :include_security_headers do |expected|
+  match do |actual|
+    expect(actual.headers).to include('X-Content-Type-Options')
+  end
+end