[#40382] - [4.2] update X-Content-Type-Options in htaccess mod_headers
- Closed
- 14 Apr 2023
- Medium
- Build: 4.3-dev
- # 40382
Is your feature request related to a problem? Please describe.
Having check a site on webpagetest.org it showed a critical issue with mod_header security
Describe the solution you'd like
The current htaccess.txt (.htaccess) has this code:
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
When two lines are added, the security issue is fixed:
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
Header append X-FRAME-OPTIONS "SAMEORIGIN"
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
</IfModule>
Can this be added to the htaccess.txt file or is it not applicable in all cases?
Additional context
I am on a Linux Litespeed server
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-04-14 08:50:24 |
| Closed_By | ⇒ | Scrabble96 |
Yes both works of course. The reason for the nosniff within the htaccess is a) this is a one value header anyway and b) it is important that this is also respected when joomla itself is not triggered.
hsts does only work on https sites so it can not be a default setting so its better suited within the plugin.
The frame options in the end is a per site decision and to me should not be forced to be same origin as there are also some other valid reasons to allow more or less via different settings.
Sorry, this is covered in the http headers plugin