Task #12561
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_IBAM - Missing "X-Content-Type-Options" Header [LOW]
Status: | Work Completed-End life cycle | Start date: | November 08, 2021 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 100% | |
Category: | Penetration Test Issue | Spent time: | - | |
Target version: | - |
Description
The "X-Content-Type-Options" header (with "nosniff" value) prevents IE and Chrome from ignoring the content-type of a response. This action may prevent untrusted content (e.g. user uploaded content) from being executed on the user browser (after a malicious naming, for example).
Solution provided by LGMS :
Configure the application server to send the "X-Content-Type-Options" header with value "nosniff" on all outgoing requests.
For Apache, see:
http://httpd.apache.org/docs/2.2/mod/mod_headers.html
For IIS, see:
https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx
For nginx, see:
http://nginx.org/en/docs/http/ngx_http_headers_module.html
'Affected URL:
Related issues
History
#1 Updated by Najmi Pasarudin almost 3 years ago
- Status changed from New - Begin Life Cycle to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
- % Done changed from 0 to 100
Please refer sc4.png at Task 12560
#2 Updated by Nurul Athira Abdul Rahim almost 3 years ago
- Status changed from Internal Testing to System Integration Test
#3 Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from System Integration Test to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".
#4 Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to Pending Review
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
LGMS team tested in application url instead of web url.
Fixes already applied to staging and production web server.
#5 Updated by Nurul Athira Abdul Rahim about 2 years ago
- Status changed from Pending Review to Work Completed-End life cycle