Skip to content

fix: add X-Content-Type-Options nosniff header to nginx config#40679

Open
lbajsarowicz wants to merge 1 commit intomagento:2.4-developfrom
lbajsarowicz:fix/nginx-content-type-options
Open

fix: add X-Content-Type-Options nosniff header to nginx config#40679
lbajsarowicz wants to merge 1 commit intomagento:2.4-developfrom
lbajsarowicz:fix/nginx-content-type-options

Conversation

@lbajsarowicz
Copy link
Copy Markdown
Contributor

@lbajsarowicz lbajsarowicz commented Apr 10, 2026

Description

Add the X-Content-Type-Options: nosniff security header alongside the existing X-Frame-Options header in all applicable location blocks in nginx.conf.sample.

Problem

The sample Nginx configuration sets X-Frame-Options: SAMEORIGIN in multiple location blocks to prevent clickjacking, but does not set X-Content-Type-Options: nosniff. Without this header, browsers may perform MIME type sniffing on responses, potentially interpreting files as a different content type than declared.

This can lead to security issues such as:

  • A CSS file containing JavaScript being executed as script
  • An uploaded image being interpreted as HTML
  • Content-type confusion attacks on user-uploaded files served from /media/

Solution

Add add_header X-Content-Type-Options "nosniff"; in every location block that already sets X-Frame-Options, including:

  • /setup/pub/ and /update/pub/ (admin setup/update assets)
  • /pub/ (public assets)
  • /static/ (versioned static assets, compressed files, fallback)
  • /media/ (media assets, compressed files, fallback)

This follows the same pattern used for X-Frame-Options — applied per-location rather than globally, matching Nginx's add_header inheritance behavior (child blocks don't inherit parent add_header directives).

References

Files Changed

  • nginx.conf.sample

⭐ Support my work

Do you like the fix? Remember to react with "👍🏻" to get it merged faster,
Then Sponsor me on Github so I can spend more time on fixing issues like this one.

Learn more at https://github.com/sponsors/lbajsarowicz

@m2-assistant
Copy link
Copy Markdown

m2-assistant bot commented Apr 10, 2026

Hi @lbajsarowicz. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

  • @magento run all tests - run or re-run all required tests against the PR changes
  • @magento run <test-build(s)> - run or re-run specific test build(s)
    For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:
  1. Database Compare
  2. Functional Tests CE
  3. Functional Tests EE
  4. Functional Tests B2B
  5. Integration Tests
  6. Magento Health Index
  7. Sample Data Tests CE
  8. Sample Data Tests EE
  9. Sample Data Tests B2B
  10. Static Tests
  11. Unit Tests
  12. WebAPI Tests
  13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

@ct-prd-pr-scan
Copy link
Copy Markdown

ct-prd-pr-scan bot commented Apr 10, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lbajsarowicz