Make X-Content-Type-Options

[Smus4]

in order to prevent MIME-sniffing attacks:

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

solution: Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages. If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

possible fix: https://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff

[PatrickMatthiesen]

can probably be added with the following, just remember to figure out if it needs to be added before some of the other app.use

app.Use(async (context, next) => { context.Response.Headers.Add("X-Content-Type-Options", "nosniff"); await next.Invoke(); });