Jump to content

Should PW set the X-Content-Type-Options header?

Robin S

By Robin S,
in Security

 Share

Recommended Posts

Robin S Hero Member

Robin S

Posted
Posted

A client hired a security consultant to do a site analysis and they advised that the X-Content-Type-Options HTTP header should be set to "nosniff".

The MDN docs for this header say: "Site security testers usually expect this header to be set."
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

This was easily resolved by adding the following to .htaccess 

Header set X-Content-Type-Options "nosniff"

Do you think it would be good to add this to the default PW .htaccess file?

  • Like 4
Link to comment
Share on other sites
teppo Hero Member

teppo

Posted
Posted

This is included with the default .htaccess file, but disabled by default. See section "4. Protect from XSS with Apache headers".

It seems to me that this should probably be enabled by default, but I'm guessing that it was left disabled for a reason – @ryan would be the best person to say if those reasons still apply.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...