added Content-Security-Policy header to download image api to prevent malicious code injection

2025-08-27 16:05:20 +03:00 · 2025-08-27 16:05:20 +03:00 · b2ae6f92d1
commit b2ae6f92d1
parent 00381459c2
1 changed files with 1 additions and 0 deletions
--- a/application/src/main/java/org/thingsboard/server/controller/ImageController.java
+++ b/application/src/main/java/org/thingsboard/server/controller/ImageController.java
@ -300,6 +300,7 @@ public class ImageController extends BaseController {
        tbImageService.putETag(cacheKey, descriptor.getEtag());
        var result = ResponseEntity.ok()
                .header("Content-Type", descriptor.getMediaType())
+                .header("Content-Security-Policy", "default-src 'none'")
                .eTag(descriptor.getEtag());
        if (!cacheKey.isPublic()) {
            result