Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46193] - Plugin : System - HTTP Headers - add a switch for X-Content-Type-Options

No Code Attached Yet
avatar 18info
18info
30 Sep 2025

Is your feature request related to a problem? Please describe.

Hello!
It is not directly a problem but security header is missing (at least this one…)

Apologies, I'm not a dev.
I use Joomla! 5.3.3 up to date

Describe the solution you'd like

Have a switch like for X-Frame-Options to be able to activate with "nosniff".

Image

Additional context

I modified 3 files as follow :
administrator/language/en-GB/plg_system_httpheaders.ini at l.44

PLG_SYSTEM_HTTPHEADERS_XCONTENTTYPEOPTIONS="<a href='https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options' target='_blank' rel='noopener noreferrer'>X-Content-Type-Options</a>" ; Do not translate

plugins/system/httpheaders/httpheaders.xml at l.33

	<field
		name="xcontenttypeoptions"
		type="radio"
		label="PLG_SYSTEM_HTTPHEADERS_XCONTENTTYPEOPTIONS"
		layout="joomla.form.field.radio.switcher"
		default="0"
		filter="integer"
		validate="options"
		>
		<option value="0">JDISABLED</option>
		<option value="1">JENABLED</option>
	</field>

plugins/system/httpheaders/src/Extension/Httpheaders.php at l.52

'X-Content-Type-Options',

At l.366

        // X-Content-Type-Options
        if ($this->params->get('xcontenttypeoptions', 1) === 1) {
            $staticHeaderConfiguration['x-content-type-options#both'] = 'nosniff';
        }

"Et voilà !"

Image Image

What do you think about?

Thanks for reading, regards.

avatar 18info 18info - open - 30 Sep 2025
avatar joomla-cms-bot joomla-cms-bot - change - 30 Sep 2025
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 30 Sep 2025
avatar richard67
richard67 - comment - 30 Sep 2025

@RANDOMLY-OBFUSCATED The HTTP Headers plugin applies only to the html pages generated by the PHP files (index.php of your templates).

However, the X-Content-Type header should be set also for assets, e.g. javascript or CSS files.

That's why we have it in the htaccess.txt file here: https://github.com/joomla/joomla-cms/blob/5.3-dev/htaccess.txt#L40-L43

So if you use an .htaccess file on an Apache server with mod_headers enabled, it should be fine.

avatar RANDOMLY-OBFUSCATED
RANDOMLY-OBFUSCATED - comment - 30 Sep 2025

@richard67
Thanks for reply.
Nop, I tried first with htaccess and that why I made this. This header is not sent when configured in htaccess on some server.
Multiple headers in different ways to configure it is not the easier no?
Make sens to set all headers in a same place (?).

Edit:
Yes, this header is effectively send when I request a .css but doesn't work on web page if not set trought the plugin.

curl -s -D - -o //dev/null https://domain.tld/media/gantry5/engines/nucleus/css-compiled/nucleus.css
HTTP/2 200 
date: Tue, 30 Sep 2025 17:14:44 GMT
server: Apache
strict-transport-security: max-age=16000000
x-content-type-options: nosniff
cross-origin-resource-policy: same-origin
cross-origin-embedder-policy: require-corp
last-modified: Sat, 20 Sep 2025 10:59:18 GMT
etag: "552c-63f397a52b131"
accept-ranges: bytes
content-length: 21804
vary: Accept-Encoding
content-type: text/css

A server configuration problem? (this one is a shared one)

avatar brianteeman
brianteeman - comment - 3 Oct 2025

A server configuration problem? (this one is a shared one)

did you ask your host?

avatar RANDOMLY-OBFUSCATED
RANDOMLY-OBFUSCATED - comment - 3 Oct 2025

Yes. I encoutered the same situation with WP. They said "no support for software, get close to the dev team" and "No problem at http server level".
They are competent and serious.

avatar brianteeman
brianteeman - comment - 4 Oct 2025

They are competent and serious.

If they were they would tell you why something unrelated to the CMS doesnt work on your server

avatar richard67
richard67 - comment - 4 Oct 2025

@RANDOMLY-OBFUSCATED Let me try again to explain why it is not sufficient to set that header only with the HTTP headers plugin.

The plugin can add the header only to the html page generated by PHP, but not to the css or js or whatever else resources or media files.

The header shall disable the so called MIME-type sniffing feature in webbrowsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.

The MIME type of the html page is not relevant for that scenario as that is always "text/html".

https://securityheaders.com/ only check the headers of the main html page and shows you a nice green A+ result if that has the mentioned header (and others).

If we would now set that header only with the plugin, it would look good on https://securityheaders.com/ , but it would not fix the scenario, That would be snake oil.

We should not produce snake oil solutions with our CMS core.

avatar RANDOMLY-OBFUSCATED
RANDOMLY-OBFUSCATED - comment - 17 Oct 2025

Hello,
Apologies for lag. I'm going have a talk with the hoster about this.
I will report here.
Have a nice day

Add a Comment

Login with GitHub to post a comment