--- a/cmd/gemma/main.go	Wed Jul 01 17:56:17 2020 +0200
+++ b/cmd/gemma/main.go	Wed Jul 01 17:57:17 2020 +0200
@@ -34,6 +34,7 @@
 	"gemma.intevation.de/gemma/pkg/controllers"
 	"gemma.intevation.de/gemma/pkg/geoserver"
 	"gemma.intevation.de/gemma/pkg/imports"
+	"gemma.intevation.de/gemma/pkg/middleware"
 	"gemma.intevation.de/gemma/pkg/scheduler"
 )
 
@@ -67,15 +68,9 @@
 	m := mux.NewRouter()
 	controllers.BindRoutes(m)
 
-	dir := http.FileServer(http.Dir(web))
+	dir := middleware.NoSniff(http.FileServer(http.Dir(web)))
 
-	xframes := http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {
-		res.Header().Set("X-Frame-Options", "sameorigin")
-		res.Header().Set("X-Content-Type-Options", "nosniff")
-		dir.ServeHTTP(res, req)
-	})
-
-	m.PathPrefix("/").Handler(xframes)
+	m.PathPrefix("/").Handler(dir)
 
 	addr := fmt.Sprintf("%s:%d", config.WebHost(), config.WebPort())
 	log.Printf("info: listen on %s\n", addr)

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/pkg/middleware/nosniff.go	Wed Jul 01 17:57:17 2020 +0200
@@ -0,0 +1,24 @@
+// This is Free Software under GNU Affero General Public License v >= 3.0
+// without warranty, see README.md and license for details.
+//
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// License-Filename: LICENSES/AGPL-3.0.txt
+//
+// Copyright (C) 2020 by via donau
+//   – Österreichische Wasserstraßen-Gesellschaft mbH
+// Software engineering by Intevation GmbH
+//
+// Author(s):
+//  * Sascha L. Teichmann <sascha.teichmann@intevation.de>
+
+package middleware
+
+import "net/http"
+
+func NoSniff(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {
+		res.Header().Set("X-Frame-Options", "sameorigin")
+		res.Header().Set("X-Content-Type-Options", "nosniff")
+		next.ServeHTTP(res, req)
+	})
+}