问题
I am developing a web application in angularjs5. The security team is testing our application and raised the bug.
Description: The Anti-MIME-Sniffing header X-Content-Type-Options was
not set to 'nosniff'. This allows older versions of Internet Explorer
and Chrome to perform MIME-sniffing on the response body, potentially
causing the response body to be interpreted and displayed as a content
type other than the declared content type. Current (early 2014) and
legacy versions of Firefox will use the declared content type (if one
is set), rather than performing MIME-sniffing.
Url: http://mywebsite.azurewebsites.net/dist/vendor.js?v=vBjTOpDNRC-nQNYd5TD5g6hxfdfdjc7SPrvBv0o2pPs
method:Get
Parameter:X-Content-Type-Options
Solution: Ensure that the
application/web server sets the Content-Type header appropriately, and
that it sets the X-Content-Type-Options header to 'nosniff' for all
web pages.
If possible, ensure that the end user uses a standards-compliant and the modern web browser that does not perform MIME-sniffing at all, or that can be directed to the web application/web server to not perform MIME-sniffing.
I have set header 'X-Content-Type-Options': 'nosniff' in all HTTP requests as below.
protected getRequestHeaders(): { headers: HttpHeaders | { [header: string]: string | string[]; } } {
let headers = new HttpHeaders({
'Authorization': `Bearer ${this.appContextService.userToken}`,
'Content-Type': 'application/json',
'Accept': 'application/json',
'Ocp-Apim-Subscription-Key': ` ${this.appContextService.subscriptionKey}`,
'X-Frame-Options': 'Deny',
'X-XSS-Protection': '1',
'X-Content-Type-Options': 'nosniff',
'cache-control':'max-age=3153600'
});
return { headers: headers };
}
Can someone help me to set header X-Content-Type-Options to dist/vendor.css,dist/main-client.jsdist/vendor.js? Any help would be appreciated. Thank you.
来源:https://stackoverflow.com/questions/49851566/x-content-type-options-header-missing