Robin S Posted July 21, 2019 Posted July 21, 2019 A client hired a security consultant to do a site analysis and they advised that the X-Content-Type-Options HTTP header should be set to "nosniff". The MDN docs for this header say: "Site security testers usually expect this header to be set."https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options This was easily resolved by adding the following to .htaccess Header set X-Content-Type-Options "nosniff" Do you think it would be good to add this to the default PW .htaccess file? 4
teppo Posted July 22, 2019 Posted July 22, 2019 This is included with the default .htaccess file, but disabled by default. See section "4. Protect from XSS with Apache headers". It seems to me that this should probably be enabled by default, but I'm guessing that it was left disabled for a reason – @ryan would be the best person to say if those reasons still apply. 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now