Add config for reducing MIME type security risks

alrra · alrra · commit b9fc0d0f8ab4 · 2013-10-31T18:17:40.000+02:00
For compatibility reasons (e.g.: legacy servers that serve all files as `text/plain`), IE 8+ has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource. In some cases, IE may report a MIME type different than the type speci- fied by the web server. For instance, if IE finds HTML content in a file delivered with the HTTP response header `Content-Type: text/plain`, it determines that the content should be rendered as HTML. Unfortunately, MIME-sniffing can also lead to security problems for servers hosting untrusted content. Fortunately, IE provides web apps with the ability to opt-out of MIME-sniffing by sending the `X-Content-Type-Options` response header with the value `nosniff`. This will prevent IE from MIME-sniffing a response away from the declared content-type. See also: * http://msdn.microsoft.com/en-us/library/ie/gg622941 * http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx Beside IE 8+, this feature has been implemented in Chrome, and may soon come to Firefox (https://bugzilla.mozilla.org/show_bug.cgi?id=471020). Ref: #8.
diff --git a/.htaccess b/.htaccess
@@ -322,6 +322,21 @@ AddDefaultCharset utf-8
 
 </FilesMatch>
 
+# ------------------------------------------------------------------------------
+# | Reducing MIME-type security risks                                          |
+# ------------------------------------------------------------------------------
+
+# Prevent some browsers from MIME-sniffing the response.
+# This reduces exposure to drive-by download attacks and should be enable espe-
+# cially if the web server is serving user uploaded content, content that could
+# potentially be treated by the browser as executable.
+# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+# http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
+
+# <IfModule mod_headers.c>
+#     Header set X-Content-Type-Options "nosniff"
+# </IfModule>
+
 # ------------------------------------------------------------------------------
 # | Secure Sockets Layer (SSL)                                                 |
 # ------------------------------------------------------------------------------
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 ### HEAD
 
-* Add configurations for cursor images (`.cur`).
+* Add config for reducing MIME type security risks ([#8](https://github.com/h5bp/server-configs-apache/issues/8)).
+* Add configs for cursor images (`.cur`).
 * Fix backup and source file blocking for Apache v2.3+ ([#5](https://github.com/h5bp/server-configs-apache/issues/5)).
 * Remove filename extension to content type mappings that are already provided by Apache v2.2.0+ ([#4](https://github.com/h5bp/server-configs-apache/issues/4)).
 * Improve inline comments.
