Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

MIME sniffing has not been disabled for HTTP responses.

SA-34536

Summary



MIME sniffing has not been disabled for HTTP responses which is a possible security threat.


Error Messages



Not Applicable


Steps to Reproduce



Not Applicable


Root Cause



Each type of file delivered from a web server has an associated MIME type (also called a “content-type”) that describes the nature of the content such as image, text, application, and so on.

For compatibility
reasons, Internet Explorer has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource.

In some cases, Internet Explorer reports a MIME type different than the type specified by the web server.

For example, if Internet Explorer finds HTML content in a file delivered with the HTTP response header Content-Type: text/plain, Internet Explorer determines that the content should be rendered as HTML. However, MIME-sniffing can also lead to security problems.

That is, Internet Explorer could misinterpret the content-type of a page and cause undesirable e
ffects.

For instance, an attacker could upload a specially crafted file
that contained script content, and then send a link to the file to unsuspecting victims.

When the victim visits the server using Internet Explorer, the malicious file would be misinterpreted as text/html and executed c
lient-side.

This script could then steal the victim’s cookies, generate
a phony page, and so on, ASVS 2016 Check: V11.6 (L1,2,3).

Resolution



Install HFix-26866 and update the value of below DSS Setting:

Owning RuleSet: Pega-RulesEngine
Setting Purpose: http/responseHeaders
Value: {"X-Content-Type-Options":"nosniff"}


Published March 16, 2017 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us