Merge branch '36099-api-responses-missing-x-content-type-options-header' into '10-1-stable'

Include X-Content-Type-Options (XCTO) header into API responses See merge request gitlab/gitlabhq!2211
2017-11-01 09:25:49 +00:00 · 2017-11-01 09:25:49 +00:00 · 6c818e77f2
parent cc27e5febd e087e0751c
commit 6c818e77f2
3 changed files with 15 additions and 1 deletions
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@ -57,7 +57,10 @@ module API
      mount ::API::V3::Variables
    end

-    before { header['X-Frame-Options'] = 'SAMEORIGIN' }
+    before do
+      header['X-Frame-Options'] = 'SAMEORIGIN'
+      header['X-Content-Type-Options'] = 'nosniff'
+    end

    # The locale is set to the current user's locale when `current_user` is loaded
    after { Gitlab::I18n.use_default_locale }
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@ -50,6 +50,12 @@ describe API::Projects do
        expect(json_response).to be_an Array
        expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id))
      end
+
+      it 'returns the proper security headers' do
+        get api('/projects', current_user), filter
+
+        expect(response).to include_security_headers
+      end
    end

    shared_examples_for 'projects response without N + 1 queries' do
--- a/spec/support/matchers/security_header_matcher.rb
+++ b/spec/support/matchers/security_header_matcher.rb
@ -0,0 +1,5 @@
+RSpec::Matchers.define :include_security_headers do |expected|
+  match do |actual|
+    expect(actual.headers).to include('X-Content-Type-Options')
+  end
+end