From aef44afbbaebe91e8a8e1c1d174a2f7653bef931 Mon Sep 17 00:00:00 2001
From: Dale Sikkema <dsikkema@ebay.com>
Date: Fri, 18 Sep 2015 14:41:01 -0500
Subject: [PATCH] MAGETWO-41913: Add no-sniff headers/xss protection to server
 config files

---
 .htaccess         | 7 +++++++
 nginx.conf.sample | 3 +++
 2 files changed, 10 insertions(+)

diff --git a/.htaccess b/.htaccess
index bef5869dd2f..1e2eb4bc3d8 100644
--- a/.htaccess
+++ b/.htaccess
@@ -182,3 +182,10 @@
 ## http://developer.yahoo.com/performance/rules.html#etags
 
     #FileETag none
+
+############################################
+## Add custom headers
+<IfModule mod_headers.c>
+    Header set X-Content-Type-Options: nosniff
+    Header set X-XSS-Protection: '1; mode=block'
+</IfModule>
diff --git a/nginx.conf.sample b/nginx.conf.sample
index cab0b839ffe..596c08612b2 100644
--- a/nginx.conf.sample
+++ b/nginx.conf.sample
@@ -24,6 +24,9 @@ index index.php;
 autoindex off;
 charset off;
 
+add_header 'X-Content-Type-Options' 'nosniff';
+add_header 'X-XSS-Protection' '1; mode=block';
+
 location /setup {
     root $MAGE_ROOT;
 
-- 
GitLab