add X-Content-Type-Options "nosniff" response header when serving submission file + Only allow inline download for pdf-files.
Serve any other filetype as application/octet-stream preventing browsers from “guessing” the MIMEtype of the file. This prevents file submissions with HTML/JS from getting executed by the browser.

Submitted by Elmer van Chastelet on 12 March 2025 at 14:17