Weko
/
histoiredunpied
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
33 Commits 1 Branch 0 Tags 7.2 MiB
Commit Graph

4 Commits

Author SHA1 Message Date
Simon 78266d5b7b feat: Disable the auto detection of resource type 
Protect yourself from malicious exploitation via MIME sniffing.
MIME-Type sniffing explained

Internet Explorer and Chrome browsers have a feature called "MIME-Type sniffing" that automatically detects a web resource's type. This means, for example, that a resource identified as an image can be read as a script if its content is a script.

This property allows a malicious person to send a file to your website to inject malicious code. We advise you to disable the MIME-Type sniffing to limit such activity.

Chrome has been working on a feature called Site Isolation which provides extensive mitigation against exploitation of these types of vulnerabilities. Site Isolation is more effective when MIME types are correct.
How to prevent MIME-Type sniffing

Configure a "X-Content-Type-Options" HTTP header. Add the "X-Content-Type-Options" HTTP header in the responses of each resource, associated to the "nosniff" value. It allows you to guard against such misinterpretations of your resources.

https://www.justegeek.fr/proteger-un-peu-plus-son-site-avec-la-balise-x-content-type-options/
 2020-03-11 16:59:13 +01:00
Simon 6b2d95f245 fix: Avoid http-equiv <meta> tags 
HTTP headers are more efficient than the http-equiv meta tags.
The <meta http-equiv=/> tags

The http-equiv meta tags allow to communicate to the web browser information equivalent to the ones of HTTP headers. For example, the meta <meta http-equiv=content-type/> will have the same consequences than the HTTP Content-Type header.

Two points don’t stimulate the use of http-equiv meta tags:

    Going through the meta requires to interpret the beginning of the HTML page, which is slower than going through the HTTP headers in terms of performance
    If the HTTP header is already present, the meta is ignored

In which cases are the <meta http-equiv=/> useful?

Only one case can justify the presence of these meta tags: if you don’t have access to the configuration of your server, and that is to say to the HTTP headers.

However, we advice you to use a configurable server so that you can establish the most efficient site possible.

This page contains 1 http-equiv meta tag. If possible, you should replace it:

    x-ua-compatible
 2020-03-11 16:53:51 +01:00
Simon 44ca31ca65 feat: Specify a character set on server 2020-03-11 14:29:36 +01:00
Simon 4154664d69 feat: Configuration d'Nginx 2020-03-09 16:18:26 +01:00