Add X-Content-Type-Options as a custom domain header (#10062)

* Add X-Content-Type-Options as a custom domain header

A user requested this via https://infosec.mozilla.org/guidelines/web_security

* Add migration

Author: ericholscher

dockerfiles/nginx/proxito.conf.template

@@ -82,6 +82,8 @@ server {
         add_header Access-Control-Allow-Headers $access_control_allow_headers always;
         set $x_frame_options $upstream_http_x_frame_options;
         add_header X-Frame-Options $x_frame_options always;
+        set $x_content_type_options $upstream_http_x_content_type_options;
+        add_header X-Content-Type-Options $x_content_type_options always;
         # Minio sets this header on the response, and we don't want to copy it to the response
         proxy_hide_header Content-Security-Policy;
         set $content_security_policy $upstream_http_content_security_policy;

readthedocs/projects/migrations/0096_add_http_header.py

@@ -0,0 +1,30 @@
+# Generated by Django 3.2.18 on 2023-02-22 19:33
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("projects", "0095_default_branch_helptext"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="httpheader",
+            name="name",
+            field=models.CharField(
+                choices=[
+                    ("access_control_allow_origin", "Access-Control-Allow-Origin"),
+                    ("access_control_allow_headers", "Access-Control-Allow-Headers"),
+                    ("content_security_policy", "Content-Security-Policy"),
+                    ("feature_policy", "Feature-Policy"),
+                    ("permissions_policy", "Permissions-Policy"),
+                    ("referrer_policy", "Referrer-Policy"),
+                    ("x_frame_options", "X-Frame-Options"),
+                    ("x_content_type_options", "X-Content-Type-Options"),
+                ],
+                max_length=128,
+            ),
+        ),
+    ]

readthedocs/projects/models.py

@@ -1774,13 +1774,14 @@ class HTTPHeader(TimeStampedModel, models.Model):
     """
 
     HEADERS_CHOICES = (
-        ('access_control_allow_origin', 'Access-Control-Allow-Origin'),
-        ('access_control_allow_headers', 'Access-Control-Allow-Headers'),
-        ('content_security_policy', 'Content-Security-Policy'),
-        ('feature_policy', 'Feature-Policy'),
-        ('permissions_policy', 'Permissions-Policy'),
-        ('referrer_policy', 'Referrer-Policy'),
-        ('x_frame_options', 'X-Frame-Options'),
+        ("access_control_allow_origin", "Access-Control-Allow-Origin"),
+        ("access_control_allow_headers", "Access-Control-Allow-Headers"),
+        ("content_security_policy", "Content-Security-Policy"),
+        ("feature_policy", "Feature-Policy"),
+        ("permissions_policy", "Permissions-Policy"),
+        ("referrer_policy", "Referrer-Policy"),
+        ("x_frame_options", "X-Frame-Options"),
+        ("x_content_type_options", "X-Content-Type-Options"),
     )
 
     domain = models.ForeignKey(