Enabling the X-Content-Type-Options header
You can configure the X-Content-Type-Options header settings to help
you block content sniffing. The default value indicates that the MIME types advertised in
the Content-Type headers should not be changed and be followed.
About this task
You can help to protect your site from MIME sniffing attacks using the X-Content-Type-Options header. There are security concerns as some MIME types represent executable content.
For more information about this header, please see X-Content-Type-Options on the Mozilla documentation site.
The following value is used for your
X-Content-Type-Options header:- nosniff
- Blocks a request if the request destination is of type:
- "style" and the MIME type is not
text/css, or - "script" and the MIME type is not a JavaScript MIME type
- "style" and the MIME type is not
Procedure
-
The Transaction Server’s
HttpSecurityFilterclass addsX-Content-Type-Optionsheader to the response based on the configuration specified in the foundation wc-component.xml. It is enabled by default for the following REST-Transaction WAR by default as follows:<_config:configgrouping name="HttpSecuritySettings_Rest-Transaction"> <!-- Set the value to "true" to enable X-Content-Type-Options header with value of "nosniff". Prevents the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). --> <_config:property name="XContentTypeOptionsHeader" value="true"/> </_config:configgrouping> -
To customize the
X-Content-Type-Optionsheader value, or to specify it for other WARs, add the corresponding property to your extended foundation wc-component.xml file. For more information about how to create a custom configuration file, see Changing properties in the HCL Commerce configuration file (wc-component.xml).