Using OWASP 2.6, my attack gives and alert: 'x-content-type-options-header missing' as an alert. it is mostly the css files.
Can anyone tell me how to configure header response for a css file linked to php/html file as an index.php webpage''?
Asked
Active
Viewed 591 times
0
-
further research is looking to indicate that this might need to be completed in a .htaccess file. not yet sure of the details, but some similar information in other areas and languages appear to be completed in this way. – Rod Oct 17 '17 at 13:37
-
apparently and according to the following link from a somewhat related question on stack, we add the php directly to the css file: https://stackoverflow.com/questions/12367134/how-do-i-run-php-inside-css/12367163#12367163. I tried it, but cant see header response codes on a css file... – Rod Oct 17 '17 at 15:17
1 Answers
0
in OWASP ZAP, 2.6, the software does the penetration testing/ scanning. It discovers what 'flaws" are found and reports them to the user. I my case I was penetration testing without putting my firefox browser in penetration testing mode or "manual proxy" like it said to do in the directions. I simply forgot to switch modes. I found the forums to be much more forthcoming with information for us beginners. I appreciate that. I simply added the following headers to my index and other webpages where it applied. Add the following header code to the top your index page, etc according to the security issue in question:
header('Content-Type: text/html');
header('X-Content-Type-Options: nosniff', false);
//stop cacheing of page
header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
header("Cache-Control: post-check=0, pre-check=0", false);
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
header("Pragma: no-cache"); // HTTP/1.0
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("X-XSS-Protection: 1");
header("X-Frame-Options: SAMEORIGIN");
this deals with 2 potential security issues on various site pages:
Web Browser XSS Protection Not Enable
X-Content-Type-Options Header Missing
It "probably" doesn't apply in the case of css content. However you know your app/site better. There could be circumstances or functionality where it's relevant.
Ultimately you can make the call in the end as a user. That's why the severity of findings is modifiable (incl. False Positive) and why there is an Alert's Filter extensions.
the ZAP User Group can be found here to research questions on ZAP: https://groups.google.com/forum/#!forum/zaproxy-users
Rod
- 35
- 9