From 170d0280b841b521c89229e3615f4aa2307665bc Mon Sep 17 00:00:00 2001
From: Robin Winslow <robin@robinwinslow.co.uk>
Date: Thu, 4 Aug 2022 12:36:23 +0100
Subject: [PATCH] v1.0.6: Disable MIME-sniffing

---
 CHANGELOG.md                       | 4 ++++
 canonicalwebteam/flask_base/app.py | 4 ++++
 setup.py                           | 2 +-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bad728c..7b3987c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 1.0.6 (2022-08-04)
+
+Disable MIME-sniffing with `x-content-type-options: NOSNIFF` ([rationale here](https://github.com/canonical/web-design-systems-squad/issues/77#issuecomment-1205100399))
+
 # 1.0.5 (2022-05-05)
 
 Pin to Flask 1.1.2 to avoid dependency conflicts
diff --git a/canonicalwebteam/flask_base/app.py b/canonicalwebteam/flask_base/app.py
index a969016..f3ce067 100644
--- a/canonicalwebteam/flask_base/app.py
+++ b/canonicalwebteam/flask_base/app.py
@@ -23,6 +23,7 @@
 
 
 def set_security_headers(response):
+    # Decide whether to add x-frame-options
     add_xframe_options_header = True
 
     # Check if view_function has exclude_xframe_options_header decorator
@@ -35,6 +36,9 @@ def set_security_headers(response):
     if add_xframe_options_header and "X-Frame-Options" not in response.headers:
         response.headers["X-Frame-Options"] = "SAMEORIGIN"
 
+    # Add standard security headers
+    response.headers["X-Content-Type-Options"] = "NOSNIFF"
+
     return response
 
 
diff --git a/setup.py b/setup.py
index 1ed276a..aeb1de2 100755
--- a/setup.py
+++ b/setup.py
@@ -4,7 +4,7 @@
 
 setup(
     name="canonicalwebteam.flask-base",
-    version="1.0.5",
+    version="1.0.6",
     description=(
         "Flask extension that applies common configurations"
         "to all of webteam's flask apps."