# HG changeset patch
# User Alain Mazy <am@osimis.io>
# Date 1702387470 -3600
# Node ID 8f1a0ba5c7596f69d35e3c09ba520c37fc783865
# Parent  505416b269a0db667de624c8fffed45e5e2b0567
fix

diff -r 505416b269a0 -r 8f1a0ba5c759 OrthancFramework/Sources/HttpServer/HttpOutput.cpp
--- a/OrthancFramework/Sources/HttpServer/HttpOutput.cpp	Tue Dec 12 10:13:49 2023 +0100
+++ b/OrthancFramework/Sources/HttpServer/HttpOutput.cpp	Tue Dec 12 14:24:30 2023 +0100
@@ -178,6 +178,9 @@
 
     if (state_ == State_WritingHeader)
     {
+      // always include this header to prevent MIME Confusion attacks: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options
+      AddHeader("X-Content-Type-Options", "nosniff");
+
       // Send the HTTP header before writing the body
 
       stream_.OnHttpStatusReceived(status_);
@@ -318,8 +321,6 @@
     isDeflateAllowed_(false),
     isGzipAllowed_(false)
   {
-    // prevent MIME Confusion attacks: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options
-    stateMachine_.AddHeader("X-Content-Type-Options", "nosniff");
   }
 
   void HttpOutput::SetDeflateAllowed(bool allowed)