: How to use X-Content-Type-Options for .css and .png file? I have this code in my initialization file. header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src
I have this code in my initialization file.
header("Content-Security-Policy: default-src 'none'; script-src 'self';
connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';");
header("X-XSS-Protection: 1; mode=block");
header('X-Content-Type-Options: nosniff');
This code works but my problem is, it is only working in the document (localhost), in the .css and .png files are not working.
Here are the screenshots:
Document (localhost)
.css file
.png file
How can I make header response to the .css and .png files? dareboost gave me this note:
Disable the auto detection of resource type
Protect yourself from
malicious exploitation via MIME sniffing.
MIME-Type sniffing explained
Internet Explorer and Chrome browsers have a feature called "MIME-Type
sniffing" that automatically detects a web resource's type. This
means, for example, that a resource identified as an image can be read
as a script if its content is a script.
This property allows a malicious person to send a file to your website
to inject malicious code. We advise you to disable the MIME-Type
sniffing to limit such activity.
How to prevent MIME-Type sniffing
Configure a "X-Content-Type-Options" HTTP header. Add the
"X-Content-Type-Options" HTTP header in the responses of each
resource, associated to the "nosniff" value. It allows you to guard
against such misinterpretations of your resources.
On this page, you should configure the following resources, that risk
being misinterpreted:
www.example.com/path/style.css www.example.com/path/logo.png www.example.com/path/icon.png
How do I do this?
More posts by @Kaufman445
1 Comments
Sorted by latest first Latest Oldest Best
You can set these HTTP response headers in your server config (or .htaccess file). For example, to apply the X-Content-Type-Options HTTP response header only to .css and .png files, try the following:
<FilesMatch ".(css|png)$">
Header set X-Content-Type-Options nosniff
</FilesMatch>
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.