From 096dab71ee14aa25b59effcff49af0fea344fbc3 Mon Sep 17 00:00:00 2001
From: maliming <malimings@gmail.com>
Date: Tue, 4 Oct 2022 10:27:56 +0800
Subject: [PATCH] Add `X-Content-Type-Options` to `AbpSecurityHeaders`.

Resolve #14217
---
 .../Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs    | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
index 7eaa8b55e8..583b12efcb 100644
--- a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
+++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
@@ -19,6 +19,9 @@ public class AbpSecurityHeadersMiddleware : IMiddleware, ITransientDependency
         /*The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. SAMEORIGIN makes it being displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain*/
         AddHeaderIfNotExists(context, "X-Frame-Options", "SAMEORIGIN");
 
+        /*The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.*/
+        AddHeaderIfNotExists(context, "X-Content-Type-Options", "nosniff");
+
         await next.Invoke(context);
     }