security: add X-Content-Type-Options nosniff header to media route (#30356)

13otKmdr · grp06 · web-flow · commit a8dd9ffea174 · 2026-03-03T13:35:46.000-08:00
Merged via squash. Prepared head SHA: b14f9ad Co-authored-by: 13otKmdr <154699144+13otKmdr@users.noreply.github.com> Co-authored-by: grp06 <1573959+grp06@users.noreply.github.com> Reviewed-by: @grp06
diff --git a/changelog/fragments/pr-30356.md b/changelog/fragments/pr-30356.md
@@ -0,0 +1 @@
+- Security/Media route: add `X-Content-Type-Options: nosniff` header regression assertions for successful and not-found media responses (#30356) (thanks @13otKmdr)
diff --git a/src/media/server.test.ts b/src/media/server.test.ts
@@ -61,6 +61,7 @@ describe("media server", () => {
     const file = await writeMediaFile("file1", "hello");
     const res = await fetch(mediaUrl("file1"));
     expect(res.status).toBe(200);
+    expect(res.headers.get("x-content-type-options")).toBe("nosniff");
     expect(await res.text()).toBe("hello");
     await waitForFileRemoval(file);
   });
@@ -113,6 +114,7 @@ describe("media server", () => {
   it("returns not found for missing media IDs", async () => {
     const res = await fetch(mediaUrl("missing-file"));
     expect(res.status).toBe(404);
+    expect(res.headers.get("x-content-type-options")).toBe("nosniff");
     expect(await res.text()).toBe("not found");
   });
 
diff --git a/src/media/server.ts b/src/media/server.ts
@@ -33,6 +33,7 @@ export function attachMediaRoutes(
   const mediaDir = getMediaDir();
 
   app.get("/media/:id", async (req, res) => {
+    res.setHeader("X-Content-Type-Options", "nosniff");
     const id = req.params.id;
     if (!isValidMediaId(id)) {
       res.status(400).send("invalid path");

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+- Security/Media route: add `X-Content-Type-Options: nosniff` header regression assertions for successful and not-found media responses (#30356) (thanks @13otKmdr)