Page MenuHomeTelepedia

Add 'nosniff' header to /images directory
Open, LowPublic


MediaWiki 1.40 recommends adding the nosniff header to the image directory:

You should configure your webserver to return the http header X-Content-Type-Options: nosniff' for the /images directory. This will instruct browsers to not apply content sniffing when accessing the files. MediaWiki before 1.40 shipped with a content sniffer which disallowed potentially dangerous files at upload time, but this protection has now been removed in favor of this 'X-Content-Type-Options: nosniff' header and the installer will return a warning when it is not in place.

We need to do this before we fully upgrade to 1.40.

Event Timeline

OriginalAuthority created this task.
OriginalAuthority created this object with edit policy "All Users".

Still needed, but will need to be sent on S3's end.

This is slightly harder, due to the fact that S3 doesn't allow much scalability in terms of adding headers; notwithstanding this, we can probably do this on Fastly's end? Maybe.