Set X-Content-Type-Options: nosniff header

Author: dougwilson

HISTORY.md

@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Set `X-Content-Type-Options: nosniff` header
   * deps: [email protected]
   * deps: [email protected]
     - Allow colors in workers

index.js

@@ -495,8 +495,14 @@ function removeHidden(files) {
  */
 
 function send (res, type, body) {
+  // security header for content sniffing
+  res.setHeader('X-Content-Type-Options', 'nosniff')
+
+  // standard headers
   res.setHeader('Content-Type', type + '; charset=utf-8')
   res.setHeader('Content-Length', Buffer.byteLength(body, 'utf8'))
+
+  // body
   res.end(body, 'utf8')
 }
 

test/test.js

@@ -26,6 +26,15 @@ describe('serveIndex(root)', function () {
     .expect(200, done)
   })
 
+  it('should include security header', function (done) {
+    var server = createServer()
+
+    request(server)
+    .get('/')
+    .expect('X-Content-Type-Options', 'nosniff')
+    .expect(200, done)
+  })
+
   it('should serve a directory index', function (done) {
     var server = createServer()
 
@@ -117,6 +126,16 @@ describe('serveIndex(root)', function () {
         .expect(/さくら\.txt/)
         .expect(200, done)
       });
+
+      it('should include security header', function (done) {
+        var server = createServer()
+
+        request(server)
+        .get('/')
+        .set('Accept', 'application/json')
+        .expect('X-Content-Type-Options', 'nosniff')
+        .expect(200, done)
+      })
     });
 
     describe('when Accept: text/html is given', function () {
@@ -136,6 +155,16 @@ describe('serveIndex(root)', function () {
         .end(done);
       });
 
+      it('should include security header', function (done) {
+        var server = createServer()
+
+        request(server)
+        .get('/')
+        .set('Accept', 'text/html')
+        .expect('X-Content-Type-Options', 'nosniff')
+        .expect(200, done)
+      })
+
       it('should property escape file names', function (done) {
         var server = createServer()
 
@@ -194,6 +223,16 @@ describe('serveIndex(root)', function () {
         .expect(/さくら\.txt/)
         .end(done);
       });
+
+      it('should include security header', function (done) {
+        var server = createServer()
+
+        request(server)
+        .get('/')
+        .set('Accept', 'text/plain')
+        .expect('X-Content-Type-Options', 'nosniff')
+        .expect(200, done)
+      })
     });
 
     describe('when Accept: application/x-bogus is given', function () {