diff options
author | Douwe Maan <douwe@gitlab.com> | 2017-11-01 09:25:49 +0000 |
---|---|---|
committer | Winnie Hellmann <winnie@gitlab.com> | 2017-11-07 19:26:16 +0000 |
commit | 7521d0cb07f70a1193146b7c7c7556d4f25b35aa (patch) | |
tree | 4b83b48818c689b8bbc25d7602db5483b9c1d04f | |
parent | ebf9d0c4e33ea1c7058c0d9b9121e6a8d03f034f (diff) | |
download | gitlab-ce-7521d0cb07f70a1193146b7c7c7556d4f25b35aa.tar.gz |
Merge branch '36099-api-responses-missing-x-content-type-options-header' into '10-1-stable'
Include X-Content-Type-Options (XCTO) header into API responses
See merge request gitlab/gitlabhq!2211
(cherry picked from commit 6c818e77f2abeef2dd7b17a269611b018701fa79)
e087e075 Include X-Content-Type-Options (XCTO) header into API responses
-rw-r--r-- | lib/api/api.rb | 5 | ||||
-rw-r--r-- | spec/requests/api/projects_spec.rb | 6 | ||||
-rw-r--r-- | spec/support/matchers/security_header_matcher.rb | 5 |
3 files changed, 15 insertions, 1 deletions
diff --git a/lib/api/api.rb b/lib/api/api.rb index 79e55a2f4f7..1664197689d 100644 --- a/lib/api/api.rb +++ b/lib/api/api.rb @@ -57,7 +57,10 @@ module API mount ::API::V3::Variables end - before { header['X-Frame-Options'] = 'SAMEORIGIN' } + before do + header['X-Frame-Options'] = 'SAMEORIGIN' + header['X-Content-Type-Options'] = 'nosniff' + end # The locale is set to the current user's locale when `current_user` is loaded after { Gitlab::I18n.use_default_locale } diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index 5964244f8c5..2e3416cb74d 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -50,6 +50,12 @@ describe API::Projects do expect(json_response).to be_an Array expect(json_response.map { |p| p['id'] }).to contain_exactly(*projects.map(&:id)) end + + it 'returns the proper security headers' do + get api('/projects', current_user), filter + + expect(response).to include_security_headers + end end shared_examples_for 'projects response without N + 1 queries' do diff --git a/spec/support/matchers/security_header_matcher.rb b/spec/support/matchers/security_header_matcher.rb new file mode 100644 index 00000000000..f8518d13ebb --- /dev/null +++ b/spec/support/matchers/security_header_matcher.rb @@ -0,0 +1,5 @@ +RSpec::Matchers.define :include_security_headers do |expected| + match do |actual| + expect(actual.headers).to include('X-Content-Type-Options') + end +end |