zoukankan      html  css  js  c++  java
  • MIME Sniffing

    Abstract:

    The web.config file does not include the required header to mitigate MIME sniffing attacks

    Explanation:

    MIME sniffing, is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it.

    If MIME sniffing is not explicitly disabled, some browsers can be manipulated into interpreting data in a way that is not

    intended, allowing for cross-site scripting attacks.

    For each page that could contain user controllable content, you should use the HTTP Header X-Content-Type-Options: nosniff.

    Recommendations:

    To mitigate this finding, the programmer can either: (1) set it globally for all pages in the application in the web.config file, or (2)

    set the required header page by page for only those pages that might contain user-controllable content.

    To set it globally add the header in the web.config file for the application being hosted by Internet Information Services (IIS):

    <system.webServer>

    <httpProtocol>

    <customHeaders>

    <add name="X-Content-Type-Options" value="nosniff"/>

    </customHeaders>

    </httpProtocol>

    </system.webServer>

    The following examples shows how to add the header to the global Application_BeginRequest method:

    void Application_BeginRequest(object sender, EventArgs e)

    {

    this.Response.Headers["X-Content-Type-Options"] = "nosniff";

    }

    The following example shows how to add it to a page by implementing a custom HTTP module using the IHttpModule interface

    public class XContentTypeOptionsModule : IHttpModule

    {

    ...

    void context_PreSendRequestHeaders(object sender, EventArgs e)

    {

    HttpApplication application = sender as HttpApplication;

    if (application == null) return;

    if (application.Response.Headers["X-Content-Type-Options"] != null) return;

    application.Response.Headers.Add("X-Content-Type-Options", "nosniff");

    }

    }

  • 相关阅读:
    卡特兰数
    hdu 1023 Train Problem II
    hdu 1022 Train Problem
    hdu 1021 Fibonacci Again 找规律
    java大数模板
    gcd
    object dection资源
    Rich feature hierarchies for accurate object detection and semantic segmentation(RCNN)
    softmax sigmoid
    凸优化
  • 原文地址:https://www.cnblogs.com/time-is-life/p/6202821.html
Copyright © 2011-2022 走看看