fix: add X-Content-Type-Options nosniff header to Apache htaccess

[lbajsarowicz]

Description

Add the X-Content-Type-Options: nosniff security header in pub/.htaccess alongside the existing X-Frame-Options header.

Problem

The .htaccess configuration sets X-Frame-Options: SAMEORIGIN to prevent clickjacking but does not set X-Content-Type-Options: nosniff. Without this header, browsers may MIME-sniff responses and interpret files as a different content type than declared, which can lead to:

• Uploaded files in /media/ being interpreted as executable HTML/JavaScript
• CSS files containing JavaScript being executed as script
• Content-type confusion attacks

Solution

Add Header set X-Content-Type-Options "nosniff" in the mod_headers block of pub/.htaccess. This is set at the top-level .htaccess so it applies to all responses served through Apache.

References

• MDN: X-Content-Type-Options
• OWASP Secure Headers Project

Files Changed

• pub/.htaccess

⭐ Support my work

Do you like the fix? Remember to react with "👍🏻" to get it merged faster,
Then Sponsor me on Github so I can spend more time on fixing issues like this one.

Learn more at https://github.com/sponsors/lbajsarowicz

Resolved issues:

1. resolves [Issue] fix: add X-Content-Type-Options nosniff header to Apache htaccess #40773: fix: add X-Content-Type-Options nosniff header to Apache htaccess

[m2-assistant]

Hi @lbajsarowicz. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[engcom-Dash]

@magento create issue

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.