Set "X-Content-Type-Options: nosniff" header in images/.htaccess

MediaWiki already sets this header unconditionally on all requests, but images are served directly by the webserver. We want to remove the IEContentAnalyzer, which currently provides protection against uploading problematic files, so instead we are going to recommend setting this header to instruct browsers to not sniff. Per pingback data, ~83% of reporting installs use Apache. This was suggested by Taavi. Bug: T309787 Change-Id: I8a0c50cc0a8bc037f4c9b0a114f87793446aed7f
2023-02-24 23:59:22 -05:00 · 2023-02-24 23:59:22 -05:00 · 8261b1b72e
commit 8261b1b72e
parent 60cdba6d78
1 changed files with 3 additions and 0 deletions
--- a/images/.htaccess
+++ b/images/.htaccess
@ -1,3 +1,6 @@
+<IfModule headers_module>
+Header set X-Content-Type-Options nosniff
+</IfModule>
 <IfModule php7_module>
 php_flag engine off
 </IfModule>