ID: 11607
Title: Improve GUI security: Prevent changing content type
Component: Multisite
Level: 1
Class: Security fix
Version: 2.0.0i2
All web pages served by Checkmk will now have the HTTP header <tt>Header always
set X-Content-Type-Options: "nosniff"</tt> set. It prevents a client
from
guessing the content type based on the provided file. This is a way to opt out
of MIME type sniffing, or, in other words, to say that the MIME types are
deliberately configured.
Further information can be found here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Op…
https://www.chromium.org/Home/chromium-security/corb-for-developers