From 089a775b84aeec2d4491920d6dadafb48e10579f Mon Sep 17 00:00:00 2001
From: shahondin1624 <throwaway278598@protonmail.com>
Date: Fri, 10 Apr 2026 16:25:41 +0200
Subject: [PATCH] fix: add X-Content-Type-Options nosniff header to downloads
 (Closes #173) (#184)

---
 lib/AppInfo/Application.php                  |  2 ++
 lib/Middleware/SecurityHeadersMiddleware.php | 34 ++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 lib/Middleware/SecurityHeadersMiddleware.php

diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
index ddac787..4a6f8a7 100644
--- a/lib/AppInfo/Application.php
+++ b/lib/AppInfo/Application.php
@@ -6,6 +6,7 @@ namespace OCA\Mitgliederverwaltung\AppInfo;
 
 use OCA\Mitgliederverwaltung\Middleware\AuthorizationMiddleware;
 use OCA\Mitgliederverwaltung\Middleware\RateLimitMiddleware;
+use OCA\Mitgliederverwaltung\Middleware\SecurityHeadersMiddleware;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
 use OCP\AppFramework\Bootstrap\IBootstrap;
@@ -21,6 +22,7 @@ class Application extends App implements IBootstrap {
     public function register(IRegistrationContext $context): void {
         $context->registerMiddleware(AuthorizationMiddleware::class);
         $context->registerMiddleware(RateLimitMiddleware::class);
+        $context->registerMiddleware(SecurityHeadersMiddleware::class);
     }
 
     public function boot(IBootContext $context): void {
diff --git a/lib/Middleware/SecurityHeadersMiddleware.php b/lib/Middleware/SecurityHeadersMiddleware.php
new file mode 100644
index 0000000..2f4ba9e
--- /dev/null
+++ b/lib/Middleware/SecurityHeadersMiddleware.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace OCA\Mitgliederverwaltung\Middleware;
+
+use OCP\AppFramework\Http\DownloadResponse;
+use OCP\AppFramework\Http\Response;
+use OCP\AppFramework\Middleware;
+
+/**
+ * Adds security headers to download responses.
+ *
+ * Ensures all file download responses include:
+ * - X-Content-Type-Options: nosniff (prevents MIME-type sniffing)
+ *
+ * Content-Disposition: attachment is already set by Nextcloud's
+ * DownloadResponse class.
+ *
+ * Part of Issue #173.
+ */
+class SecurityHeadersMiddleware extends Middleware {
+
+    /**
+     * Add security headers after the controller action returns a response.
+     */
+    public function afterController($controller, $methodName, Response $response): Response {
+        if ($response instanceof DownloadResponse) {
+            $response->addHeader('X-Content-Type-Options', 'nosniff');
+        }
+
+        return $response;
+    }
+}