Merge pull request #77 from linkRace/master

Adding nosniff Header
krakenjs · Apr 28, 2016 · c7291ff · c7291ff
2 parents 64fc9d1 + 9d60cb7
commit c7291ff
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -30,7 +30,8 @@ app.use(lusca({
     xframe: 'SAMEORIGIN',
     p3p: 'ABCDEF',
     hsts: {maxAge: 31536000, includeSubDomains: true, preload: true},
-    xssProtection: true
+    xssProtection: true,
+    nosniff: true
 }));
 ```
 
@@ -43,6 +44,7 @@ app.use(lusca.xframe('SAMEORIGIN'));
 app.use(lusca.p3p('ABCDEF'));
 app.use(lusca.hsts({ maxAge: 31536000 }));
 app.use(lusca.xssProtection(true));
+app.use(lusca.nosniff(true));
 ```
 
 __Please note that you must use [express-session](https://github.com/expressjs/session), [cookie-session](https://github.com/expressjs/cookie-session), their express 3.x alternatives, or other session object management in order to use lusca.__
@@ -123,3 +125,8 @@ Enables [HTTP Strict Transport Security](https://www.owasp.org/index.php/HTTP_St
 * `options.mode` String - Optional. Mode to set on the header (see header docs). Defaults to `block`.
 
 Enables [X-XSS-Protection](http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx) headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8)
+
+
+### lusca.nosniff(true)
+
+Enables [X-Content-Type-Options](https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/) header to prevent MIME-sniffing a response away from the declared content-type.  Defaults to false.
diff --git a/index.js b/index.js
@@ -60,4 +60,5 @@ lusca.csp = require('./lib/csp');
 lusca.hsts = require('./lib/hsts');
 lusca.p3p = require('./lib/p3p');
 lusca.xframe = require('./lib/xframes');
-lusca.xssProtection = require('./lib/xssprotection');
+lusca.xssProtection = require('./lib/xssprotection');
+lusca.nosniff = require('./lib/nosniff');
diff --git a/lib/nosniff.js b/lib/nosniff.js
@@ -0,0 +1,12 @@
+'use strict';
+
+/**
+ * X-Content-Type-Options
+ * https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/
+ */
+module.exports = function nosniff() {
+    return function nosniff(req, res, next) {
+        res.header('X-Content-Type-Options', 'no sniff');
+        next();
+    };
+};