always add X-Content-Type-Options: nosniff header

src/download.rs

@@ -6,7 +6,7 @@ use actix_web::{
     http::header::{
         Accept, CacheControl, CacheDirective, Charset, ContentDisposition, DispositionParam,
         DispositionType, Expires, ExtendedValue, Header, HeaderValue, HttpDate, TryIntoHeaderValue,
-        ACCEPT, CACHE_CONTROL, CONTENT_TYPE, EXPIRES, VARY, X_CONTENT_TYPE_OPTIONS,
+        ACCEPT, CACHE_CONTROL, CONTENT_TYPE, EXPIRES, VARY,
     },
     web, Error, HttpRequest, HttpResponse,
 };
@@ -183,9 +183,6 @@ fn add_headers(req: &HttpRequest, download: bool, response: &mut HttpResponse) {
             HeaderValue::from_str(APPLICATION_OCTET_STREAM.as_ref())
                 .expect("mime type can be encoded to header value"),
         );
-        response
-            .headers_mut()
-            .insert(X_CONTENT_TYPE_OPTIONS, HeaderValue::from_static("nosniff"));
     }
     // the reponse varies based on these request headers
     response

src/main.rs

@@ -11,7 +11,7 @@ use crate::rate_limit::ForwardedPeerIpKeyExtractor;
 use actix_files::Files;
 use actix_governor::{Governor, GovernorConfigBuilder};
 use actix_web::{
-    http::header::{HeaderName, CONTENT_SECURITY_POLICY},
+    http::header::{HeaderName, HeaderValue, CONTENT_SECURITY_POLICY, X_CONTENT_TYPE_OPTIONS},
     middleware::{self, DefaultHeaders, Logger},
     web::{self, Data},
     App, Error, HttpResponse, HttpServer,
@@ -69,7 +69,11 @@ async fn main() -> std::io::Result<()> {
         move || {
             let app = App::new()
                 .wrap(Logger::new(r#"%{r}a "%r" =%s %bbytes %Tsec"#))
-                .wrap(DefaultHeaders::new().add(DEFAULT_CSP))
+                .wrap(
+                    DefaultHeaders::new()
+                        .add(DEFAULT_CSP)
+                        .add((X_CONTENT_TYPE_OPTIONS, HeaderValue::from_static("nosniff"))),
+                )
                 .wrap(middleware::Compress::default())
                 .app_data(db.clone())
                 .app_data(expiry_watch_sender.clone())