From c08b3c505a44d7b96b0a66d194b0d84275ce48da Mon Sep 17 00:00:00 2001
From: Blake Stoddard <blake.m.stoddard@gmail.com>
Date: Fri, 16 Oct 2020 09:58:17 -0400
Subject: [PATCH] Disable browser MIME confusion attacks via content-type
 sniffing

---
 imageproxy.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/imageproxy.go b/imageproxy.go
index 7dc1098..2f1d6f6 100644
--- a/imageproxy.go
+++ b/imageproxy.go
@@ -255,6 +255,9 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 	// Add a Content-Security-Policy to prevent stored-XSS attacks via SVG files
 	w.Header().Set("Content-Security-Policy", "script-src 'none'")
 
+	// Disable Content-Type sniffing
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+
 	w.WriteHeader(resp.StatusCode)
 	if _, err := io.Copy(w, resp.Body); err != nil {
 		p.logf("error copying response: %v", err)