Include X-Content-Type-Options (XCTO) header into API responses

Related to: https://gitlab.com/gitlab-org/gitlab-ce/issues/36099
2017-10-30 10:52:22 -06:00 · 2017-10-30 10:52:22 -06:00 · e087e0751c
parent 4a3fd8abcb
commit e087e0751c
3 changed files with 15 additions and 1 deletions
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@ -57,7 +57,10 @@ module API
      mount ::API::V3::Variables
    end

-    before { header['X-Frame-Options'] = 'SAMEORIGIN' }
+    before do
+      header['X-Frame-Options'] = 'SAMEORIGIN'
+      header['X-Content-Type-Options'] = 'nosniff'
+    end

    # The locale is set to the current user's locale when `current_user` is loaded
    after { Gitlab::I18n.use_default_locale }
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@ -50,6 +50,12 @@ describe API::Projects do
        expect(json_response).to be_an Array
        expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id))
      end
+
+      it 'returns the proper security headers' do
+        get api('/projects', current_user), filter
+
+        expect(response).to include_security_headers
+      end
    end

    shared_examples_for 'projects response without N + 1 queries' do
--- a/spec/support/matchers/security_header_matcher.rb
+++ b/spec/support/matchers/security_header_matcher.rb
@ -0,0 +1,5 @@
+RSpec::Matchers.define :include_security_headers do |expected|
+  match do |actual|
+    expect(actual.headers).to include('X-Content-Type-Options')
+  end
+end