fix(echo): set Content-Type to prevent MIME-sniff XSS (CVE-2026-43644)

Use tab indentation to match gofmt. Signed-off-by: Niccolò Parlanti <54103711+Niccolo10@users.noreply.github.com>
2026-05-23 09:52:46 +00:00 · 2026-05-15 12:04:27 +02:00
parent 9f4969c2c8
commit b65271f0d9
1 changed files with 3 additions and 0 deletions
--- a/pkg/api/http/echo.go
+++ b/pkg/api/http/echo.go
@@ -102,6 +102,9 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 		s.JSONResponse(w, r, result)

 	} else {
+		w.Header().Set("Content-Type", "application/octet-stream")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("Content-Security-Policy", "default-src 'none'")
 		w.Header().Set("X-Color", s.config.UIColor)
 		w.WriteHeader(http.StatusAccepted)
 		w.Write(body)