security: add X-Content-Type-Options nosniff header to media route (#30356)

Merged via squash. Prepared head SHA: b14f9ad7ca Co-authored-by: 13otKmdr <154699144+13otKmdr@users.noreply.github.com> Co-authored-by: grp06 <1573959+grp06@users.noreply.github.com> Reviewed-by: @grp06
2026-04-19 06:37:28 +00:00 · 2026-03-03 13:35:46 -08:00
parent bcd58c26d3
commit a8dd9ffea1
3 changed files with 4 additions and 0 deletions
--- a/src/media/server.test.ts
+++ b/src/media/server.test.ts
@@ -61,6 +61,7 @@ describe("media server", () => {
    const file = await writeMediaFile("file1", "hello");
    const res = await fetch(mediaUrl("file1"));
    expect(res.status).toBe(200);
+    expect(res.headers.get("x-content-type-options")).toBe("nosniff");
    expect(await res.text()).toBe("hello");
    await waitForFileRemoval(file);
  });
@@ -113,6 +114,7 @@ describe("media server", () => {
  it("returns not found for missing media IDs", async () => {
    const res = await fetch(mediaUrl("missing-file"));
    expect(res.status).toBe(404);
+    expect(res.headers.get("x-content-type-options")).toBe("nosniff");
    expect(await res.text()).toBe("not found");
  });

--- a/src/media/server.ts
+++ b/src/media/server.ts
@@ -33,6 +33,7 @@ export function attachMediaRoutes(
  const mediaDir = getMediaDir();

  app.get("/media/:id", async (req, res) => {
+    res.setHeader("X-Content-Type-Options", "nosniff");
    const id = req.params.id;
    if (!isValidMediaId(id)) {
      res.status(400).send("invalid path");