From b2ae6f92d12206ea185a2e882945a6b69234bf03 Mon Sep 17 00:00:00 2001
From: dashevchenko <dshevchenko@thingsboard.io>
Date: Wed, 27 Aug 2025 16:05:20 +0300
Subject: [PATCH] added Content-Security-Policy header to download image api to
 prevent malicious code injection

---
 .../java/org/thingsboard/server/controller/ImageController.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/application/src/main/java/org/thingsboard/server/controller/ImageController.java b/application/src/main/java/org/thingsboard/server/controller/ImageController.java
index f9ec7fd844..9288484f86 100644
--- a/application/src/main/java/org/thingsboard/server/controller/ImageController.java
+++ b/application/src/main/java/org/thingsboard/server/controller/ImageController.java
@@ -300,6 +300,7 @@ public class ImageController extends BaseController {
         tbImageService.putETag(cacheKey, descriptor.getEtag());
         var result = ResponseEntity.ok()
                 .header("Content-Type", descriptor.getMediaType())
+                .header("Content-Security-Policy", "default-src 'none'")
                 .eTag(descriptor.getEtag());
         if (!cacheKey.isPublic()) {
             result