Issue #462950 by pwolanin, Pere Orga: Mitigate the security risks that come from IE, Chrome and other browsers trying to sniff the mime type

author: David Rothstein <drothstein@gmail.com> 2015-10-03 15:13:35 -0400
committer: David Rothstein <drothstein@gmail.com> 2015-10-03 15:13:35 -0400
commit: c9d188950508f104a8115ec7a78335607d9b6037 (patch)
tree: 0a9c32d16f83baab39d252a5f69bf4bcf87dc725 /includes/bootstrap.inc
parent: 47d24ed171bcb4c6aca409ce8af0844a06520f5c (diff)
download: brdo-c9d188950508f104a8115ec7a78335607d9b6037.tar.gz
brdo-c9d188950508f104a8115ec7a78335607d9b6037.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index efddf006a..b2f2b042e 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -1262,6 +1262,10 @@ function drupal_page_header() {
   $default_headers = array(
     'Expires' => 'Sun, 19 Nov 1978 05:00:00 GMT',
     'Cache-Control' => 'no-cache, must-revalidate, post-check=0, pre-check=0',
+    // Prevent browsers from sniffing a response and picking a MIME type
+    // different from the declared content-type, since that can lead to
+    // XSS and other vulnerabilities.
+    'X-Content-Type-Options' => 'nosniff',
   );
   drupal_send_headers($default_headers);
 }
author	David Rothstein <drothstein@gmail.com>	2015-10-03 15:13:35 -0400
committer	David Rothstein <drothstein@gmail.com>	2015-10-03 15:13:35 -0400
commit	c9d188950508f104a8115ec7a78335607d9b6037 (patch)
tree	0a9c32d16f83baab39d252a5f69bf4bcf87dc725 /includes/bootstrap.inc
parent	47d24ed171bcb4c6aca409ce8af0844a06520f5c (diff)
download	brdo-c9d188950508f104a8115ec7a78335607d9b6037.tar.gz brdo-c9d188950508f104a8115ec7a78335607d9b6037.tar.bz2