Jump to content
Robin S

Should PW set the X-Content-Type-Options header?

Recommended Posts

A client hired a security consultant to do a site analysis and they advised that the X-Content-Type-Options HTTP header should be set to "nosniff".

The MDN docs for this header say: "Site security testers usually expect this header to be set."
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

This was easily resolved by adding the following to .htaccess

Header set X-Content-Type-Options "nosniff"

Do you think it would be good to add this to the default PW .htaccess file?

  • Like 4

Share this post


Link to post
Share on other sites

This is included with the default .htaccess file, but disabled by default. See section "4. Protect from XSS with Apache headers".

It seems to me that this should probably be enabled by default, but I'm guessing that it was left disabled for a reason – @ryan would be the best person to say if those reasons still apply.

  • Like 2

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...