X-Content-Type-Options-Vulnerability/EN

Aus Siwecos
Version vom 7. Mai 2020, 10:41 Uhr von Siwebot (Diskussion | Beiträge)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Wechseln zu: Navigation, Suche

Check of the X-Content-Type header

If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.

Result positive The HTTP header is set correctly.
Result negativ X-Content-Type header is missing.
Description The X-Content-Type-Options settings in the header prevent that the browser interprets data as anything other than declared by the content type in the HTTP header. The header settings are not set here.
Background There is only one definable value "nosniff", which prevents the Internet Explorer and Google Chrome from searching for other possible MIME types, other than the declared Content-Type (for example text/html). For Chrome this also applies to downloading extensions. The header entry reduces the load from so-called drive-by download attacks. Websites with support for uploading files which, if the names are chosen skillfully, will be treated as executable files or as dynamic HTML-Datei by the Browser, could infect your computer or other computers with malicious code. For further information on X-Content-Type-Options, please refer to the report by Golem.de (German only).
Consequence Implementation is easy and does not require additional adjustments. Prevents attacks on users of Internet Explorer.
Solution/Tips nosniff;

Code example of an .htaccess file on an Apache webserver.

<IfModule mod_headers.c>
  # prevent mime based attacks like drive-by download attacks, IE and Chrome
  Header set X-Content-Type-Options "nosniff"
</IfModule>

Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)