Mobile app version of vmapp.org
Login or Join
Kaufman445

: How to use X-Content-Type-Options for .css and .png file? I have this code in my initialization file. header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src

@Kaufman445

Posted in: #Apache2 #Php

I have this code in my initialization file.

header("Content-Security-Policy: default-src 'none'; script-src 'self';
connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';");
header("X-XSS-Protection: 1; mode=block");
header('X-Content-Type-Options: nosniff');


This code works but my problem is, it is only working in the document (localhost), in the .css and .png files are not working.

Here are the screenshots:

Document (localhost)



.css file



.png file



How can I make header response to the .css and .png files? dareboost gave me this note:


Disable the auto detection of resource type

Protect yourself from
malicious exploitation via MIME sniffing.

MIME-Type sniffing explained

Internet Explorer and Chrome browsers have a feature called "MIME-Type
sniffing" that automatically detects a web resource's type. This
means, for example, that a resource identified as an image can be read
as a script if its content is a script.

This property allows a malicious person to send a file to your website
to inject malicious code. We advise you to disable the MIME-Type
sniffing to limit such activity.

How to prevent MIME-Type sniffing

Configure a "X-Content-Type-Options" HTTP header. Add the
"X-Content-Type-Options" HTTP header in the responses of each
resource, associated to the "nosniff" value. It allows you to guard
against such misinterpretations of your resources.

On this page, you should configure the following resources, that risk
being misinterpreted:

www.example.com/path/style.css www.example.com/path/logo.png www.example.com/path/icon.png

How do I do this?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Kaufman445

1 Comments

Sorted by latest first Latest Oldest Best

 

@Ogunnowo487

You can set these HTTP response headers in your server config (or .htaccess file). For example, to apply the X-Content-Type-Options HTTP response header only to .css and .png files, try the following:

<FilesMatch ".(css|png)$">
Header set X-Content-Type-Options nosniff
</FilesMatch>

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme