Skip to Content
SAP Enterprise Portal

X-CONTENT TYPE HEADER MISSING IN ENTERPRISE PORTAL

Tags:


DESCRIPTION:

The Anti-MIME-Sniffing header X-Content-Type-Options which was not set to 'nosniff' allows the older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

RECOMMENDATIONS:

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

RESOLUTION :

For the missing header X-Content-type it is not reliable protection for reducing MIME type security risks.

The header is supported only by IE and Chrome and this is major limitation that prevents its usage as general solution.

So this is a security issue on the browser side, which has to be solved there. The server can only give a kind recommendation and only to some browsers but can neither enforce this nor reach all browsers with such notification.

Former Member

No comments