API Responses are missing X-Content-Type-Options header
From external security tests, https://gitlab.com/gitlab-com/infrastructure/issues/2438:
- Effort: Trivial
- Impact: High
- Location: HttpHeaders
It was found that API responses, unlike most other responses from the Gitlab application, are missing the X-Content-Type-Options (XCTO) header. This allows to use the API responses for various client-side attacks as shown in subsequent findings.
Example API response headers:
Server: nginx Date: Tue, 25 Jul 2017 09:22:09 GMT Connection: keep-alive Cache-Control: max-age=0, private, must-revalidate Etag: W/"bb127251e3e48a3927c3ce74b6a53d59" Vary: Origin X-Frame-Options: SAMEORIGIN X-Request-Id: 76fa97f0-8c61-4d15-9e54-0ee0109b5d3d X-Runtime: 0.029132 Strict-Transport-Security: max-age=31536000
Request anything from the API and observe the response headers.
It is recommended to use all HTTP security headers deployed by the website for the API as well. Adding the XCTO response header should not impact the website/API functionality in any way.