Probable MIME-Sniffing
Article ID: 94902
Updated On:
Products
CA API Developer Portal
CA API Gateway
Issue/Introduction
X-Content-Type Header is not set in the response which may imply that the application may be vulnerable to MIME Sniffing attacks. After intercepting the response it can be observed that X-Content-Type-Options header is not present which can lead to possible MIME attack.
Environment
All Versions of SSG
Resolution
1. This can be achieved by adding manage Transport Properties/ Headers assertion to your policy.
2. In the Transport Properties/ Header Properties set the type to HTTP
3. In the Transport Properties/ Header Properties change the operation to add or replace
4. In the Transport Properties/ Header Properties the Property/Header name should be set to X-Content-Type-Options
5. In the Transport Properties/ Header Properties value set the value as nosniff
6. Additionally you can add this to a global fragment as well.
Feedback
Yes
No
Powered by
