From b65271f0d98bde04670c74bcfabf767ede9ae51c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niccol=C3=B2=20Parlanti?=
 <54103711+Niccolo10@users.noreply.github.com>
Date: Fri, 15 May 2026 12:04:27 +0200
Subject: [PATCH] fix(echo): set Content-Type to prevent MIME-sniff XSS
 (CVE-2026-43644)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use tab indentation to match gofmt.

Signed-off-by: Niccolò Parlanti <54103711+Niccolo10@users.noreply.github.com>
---
 pkg/api/http/echo.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/api/http/echo.go b/pkg/api/http/echo.go
index f744e9f..81e3d3c 100644
--- a/pkg/api/http/echo.go
+++ b/pkg/api/http/echo.go
@@ -102,6 +102,9 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 		s.JSONResponse(w, r, result)
 
 	} else {
+		w.Header().Set("Content-Type", "application/octet-stream")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("Content-Security-Policy", "default-src 'none'")
 		w.Header().Set("X-Color", s.config.UIColor)
 		w.WriteHeader(http.StatusAccepted)
 		w.Write(body)