Add `x-content-type-options: nosniff` header to `/assets/*` requests
Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/296965
Customer ticket in https://gitlab.zendesk.com/agent/tickets/189514
The assets served from /assets/*
don't have the x-content-type-options: nosniff
header and it shows up in security scans.
It's not exploitable as we don't host user content in those paths but it would be great to solve that anyway to get rid of the security warnings and save time for all our customer-facing support and field-security colleagues to have to answer questions about this.
I believe we can simply add add_header X-Content-Type-Options nosniff
in https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/5aae6afa16ee857957fb42fbc7c7302f8bf9ff5c/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb#L195-198 but I'm not very knowledgeable about nginx so that might be completely wrong. I'll open an MR anyway and we can close it if that's not it.
/cc @mloveless