Content-Type-Not-Correct/EN: Unterschied zwischen den Versionen

Aus Siwecos
Wechseln zu: Navigation, Suche
 
Zeile 1: Zeile 1:
 
=== {{:{{PAGENAME}}/Headline}} ===
 
=== {{:{{PAGENAME}}/Headline}} ===
 +
 +
If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.
  
 
{| class="wikitable"
 
{| class="wikitable"
|'''Check'''|| {{:{{PAGENAME}}/Negative}}
+
|'''Result positive'''|| {{:{{PAGENAME}}/Positive}}
 +
|-
 +
|'''Result negativ'''|| {{:{{PAGENAME}}/Negative}}
 
|-
 
|-
 
|'''Description'''||  {{:{{PAGENAME}}/Description}}
 
|'''Description'''||  {{:{{PAGENAME}}/Description}}

Aktuelle Version vom 3. April 2019, 16:06 Uhr

Check of the HTTP content type

If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.

Result positive The content type is configured correctly.
Result negativ The HTTP content type is configured incorrectly
Description The content type is a declaration that is usually placed in the header of a web page, the so-called HTTP header. This declaration defines the character set and the type of data that the page contains. If the definition is missing, the web browser will try to guess the content type; this can lead to security flaws such as Code-Page-Sniffing. This information is also important for rendering the web page correctly in every browser and on every computer. If a server sends a document to a User Agent (for example to the browser), it is helpful to supply some information about the file format in the content type field of the HTTP header. This information declares the MIME type and sends the character encoding of the document, such as text/html, text/plain, etc. to the browser.
Background The content type is a meta data declaration which is placed in the header of a web page. This declaration defines the character set and the type of data that the page contains. This information is important for rendering the web page correctly in every browser and on every computer. The content type can be specified in the source code by entering a relatively short piece of code. The UTF-8 character set should be used.
Consequence By specifying the correct header declaration, various cross-site scripting attacks can be prevented. If the character encoding is not specified, some web browser will try to interpret the source code, thus making certain attacks possible which require a different character set.
Solution/Tips If the content type declaration is not configured correctly, your website is probably vulnerable to attacks.

Add the appropriate HTTP header or, alternatively, add a <meta> tag. Please note that, unlike a HTTP header, the <meta> tag can be attacked more easily.

text/html; charset=utf-8;

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

Furthermore, the server must be configured to send the correct charset information. In order to make these changes on the server, particular access rights are required. For further information about the different server configuration options, please refer to W3.org.

Moreover, it is also possible to pass the correct charset information to the .htaccess file, which will overwrite the declaration in the HTTP header. charset in .htaccess

Enter in the .htaccess file:

AddType 'text/html; charset=UTF-8' html

Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)