From 78266d5b7b846877646dbec01cf89ee5d80a06e7 Mon Sep 17 00:00:00 2001 From: Simon C Date: Wed, 11 Mar 2020 16:59:13 +0100 Subject: [PATCH] feat: Disable the auto detection of resource type Protect yourself from malicious exploitation via MIME sniffing. MIME-Type sniffing explained Internet Explorer and Chrome browsers have a feature called "MIME-Type sniffing" that automatically detects a web resource's type. This means, for example, that a resource identified as an image can be read as a script if its content is a script. This property allows a malicious person to send a file to your website to inject malicious code. We advise you to disable the MIME-Type sniffing to limit such activity. Chrome has been working on a feature called Site Isolation which provides extensive mitigation against exploitation of these types of vulnerabilities. Site Isolation is more effective when MIME types are correct. How to prevent MIME-Type sniffing Configure a "X-Content-Type-Options" HTTP header. Add the "X-Content-Type-Options" HTTP header in the responses of each resource, associated to the "nosniff" value. It allows you to guard against such misinterpretations of your resources. https://www.justegeek.fr/proteger-un-peu-plus-son-site-avec-la-balise-x-content-type-options/ --- nginx-default.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nginx-default.conf b/nginx-default.conf index 4e8e411..793960b 100644 --- a/nginx-default.conf +++ b/nginx-default.conf @@ -25,6 +25,9 @@ server { add_header X-UA-Compatible "IE=Edge,chrome=1"; + # https://www.justegeek.fr/proteger-un-peu-plus-son-site-avec-la-balise-x-content-type-options/ + add_header X-Content-Type-Options "nosniff"; + #Caching (save html pages for 7 days, rest as long as possible, no caching on frontpage) expires $expires;