From 58d5c6c5e30b80d31f9f27b7529e0d4507c86d74 Mon Sep 17 00:00:00 2001 From: silverwind Date: Fri, 24 Apr 2026 10:54:21 +0000 Subject: [PATCH] Add X_CONTENT_TYPE_OPTIONS (#389) https://github.com/go-gitea/gitea/pull/37354 --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: wxiaoguang <29147+wxiaoguang@noreply.gitea.com> Reviewed-on: https://gitea.com/gitea/docs/pulls/389 Reviewed-by: wxiaoguang <29147+wxiaoguang@noreply.gitea.com> Co-authored-by: silverwind Co-committed-by: silverwind --- docs/administration/config-cheat-sheet.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/administration/config-cheat-sheet.md b/docs/administration/config-cheat-sheet.md index 59514cf4..0fc608d2 100644 --- a/docs/administration/config-cheat-sheet.md +++ b/docs/administration/config-cheat-sheet.md @@ -612,7 +612,8 @@ And the following unique queues: - `REVERSE_PROXY_LIMIT`: **1**: Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request. Number of trusted proxy count. Set to zero to not use these headers. - `REVERSE_PROXY_TRUSTED_PROXIES`: **127.0.0.0/8,::1/128**: List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all. -- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value for web responses. Set to `unset` to not send the header. Previously located in `[cors]`. +- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value for all HTTP responses. Set to `unset` to not send the header. Previously located in `[cors]`. +- `X_CONTENT_TYPE_OPTIONS`: **nosniff**: Set the `X-Content-Type-Options` header value for all HTTP responses. Set to `unset` to not send the header. - `DISABLE_GIT_HOOKS`: **true**: Set to `false` to enable users with Git Hook privilege to create custom Git Hooks. :::warning