fix: add X-Content-Type-Options nosniff header to downloads (Closes #173) (#184)

lib/AppInfo/Application.php

@@ -6,6 +6,7 @@ namespace OCA\Mitgliederverwaltung\AppInfo;
 
 use OCA\Mitgliederverwaltung\Middleware\AuthorizationMiddleware;
 use OCA\Mitgliederverwaltung\Middleware\RateLimitMiddleware;
+use OCA\Mitgliederverwaltung\Middleware\SecurityHeadersMiddleware;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
 use OCP\AppFramework\Bootstrap\IBootstrap;
@@ -21,6 +22,7 @@ class Application extends App implements IBootstrap {
     public function register(IRegistrationContext $context): void {
         $context->registerMiddleware(AuthorizationMiddleware::class);
         $context->registerMiddleware(RateLimitMiddleware::class);
+        $context->registerMiddleware(SecurityHeadersMiddleware::class);
     }
 
     public function boot(IBootContext $context): void {

lib/Middleware/SecurityHeadersMiddleware.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace OCA\Mitgliederverwaltung\Middleware;
+
+use OCP\AppFramework\Http\DownloadResponse;
+use OCP\AppFramework\Http\Response;
+use OCP\AppFramework\Middleware;
+
+/**
+ * Adds security headers to download responses.
+ *
+ * Ensures all file download responses include:
+ * - X-Content-Type-Options: nosniff (prevents MIME-type sniffing)
+ *
+ * Content-Disposition: attachment is already set by Nextcloud's
+ * DownloadResponse class.
+ *
+ * Part of Issue #173.
+ */
+class SecurityHeadersMiddleware extends Middleware {
+
+    /**
+     * Add security headers after the controller action returns a response.
+     */
+    public function afterController($controller, $methodName, Response $response): Response {
+        if ($response instanceof DownloadResponse) {
+            $response->addHeader('X-Content-Type-Options', 'nosniff');
+        }
+
+        return $response;
+    }
+}