Merge branch '36099-api-responses-missing-x-content-type-options-header' into '10-1-stable'

Include X-Content-Type-Options (XCTO) header into API responses

See merge request gitlab/gitlabhq!2211

(cherry picked from commit 6c818e77f2abeef2dd7b17a269611b018701fa79)

e087e075 Include X-Content-Type-Options (XCTO) header into API responses

3 files changed, 15 insertions, 1 deletions

diff --git a/lib/api/api.rb b/lib/api/api.rb
index 79e55a2f4f7..1664197689d 100644
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -57,7 +57,10 @@ module API
       mount ::API::V3::Variables
     end
 
-    before { header['X-Frame-Options'] = 'SAMEORIGIN' }
+    before do
+      header['X-Frame-Options'] = 'SAMEORIGIN'
+      header['X-Content-Type-Options'] = 'nosniff'
+    end
 
     # The locale is set to the current user's locale when `current_user` is loaded
     after { Gitlab::I18n.use_default_locale }
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index 5964244f8c5..2e3416cb74d 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -50,6 +50,12 @@ describe API::Projects do
         expect(json_response).to be_an Array
         expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id))
       end
+
+      it 'returns the proper security headers' do
+        get api('/projects', current_user), filter
+
+        expect(response).to include_security_headers
+      end
     end
 
     shared_examples_for 'projects response without N + 1 queries' do
diff --git a/spec/support/matchers/security_header_matcher.rb b/spec/support/matchers/security_header_matcher.rb
new file mode 100644
index 00000000000..f8518d13ebb
--- /dev/null
+++ b/spec/support/matchers/security_header_matcher.rb
@@ -0,0 +1,5 @@
+RSpec::Matchers.define :include_security_headers do |expected|
+  match do |actual|
+    expect(actual.headers).to include('X-Content-Type-Options')
+  end
+end