feat(infra): add X-Content-Type-Options: nosniff header, starting wit…

…h staging It prevents browsers from incorrectly detecting non-scripts as scripts
SocialGouv · Aug 13, 2024 · 944a44d · 944a44d
1 parent 3528162
commit 944a44d
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/infra/traefik/config/dynamic.yml b/infra/traefik/config/dynamic.yml
@@ -175,6 +175,7 @@ http:
         customResponseHeaders:
           Content-Security-Policy: "frame-ancestors 'self'; object-src 'none'; img-src 'self' data: https: ; script-src 'self' https://static.userguiding.com https://public.produktly.com https://matomo.fabrique.social.gouv.fr 'unsafe-inline'"
           X-Frame-Options: SAMEORIGIN
+          X-Content-Type-Options: nosniff
 
     removePath:
       replacePath: