anti 99ccd41bb5 feat(api/artifacts): explicit Content-Disposition + X-Content-Type-Options ...

Harden the attacker-controlled artifact download path (F7) with explicit
response headers instead of relying on Starlette's defaults (which only
emit attachment for non-ASCII filenames and never set nosniff). Also
resolves the THREAT_MODEL F7 path-traversal row (containment check was
already in _resolve_artifact_path) and the fleet-deploy detail=str(e)
audit (all four sites are admin-gated deliberate validator UX or
structured worker-response fields).

2026-04-24 13:24:34 -04:00

5.7 KiB

Raw Blame History

View Raw