You are viewing the documentation for Blueriq 16. Documentation for other versions is available in our documentation directory.

Content sniffing protection

Historically browsers, including Internet Explorer, would try to guess the content type of a request using content sniffing. This allowed browsers to improve the user experience by guessing the content type on resources that had not specified the content type. For example, if a browser encountered a JavaScript file that did not have the content type specified, it would be able to guess the content type and then execute it.
The problem with content sniffing is that this allowed malicious users to use polyglots (i.e. a file that is valid as multiple content types) to execute XSS attacks. For example, some sites may allow users to submit a valid postscript document to a website and view it. A malicious user might create a postscript document that is also a valid JavaScript file and execute a XSS attack with it.

By default this is enabled.

The property should be:

blueriq.security.x-content-type-protection.enabled=true

To disable use:

blueriq.security.x-content-type-protection.enabled=false

Frontend Deployment

Security headers generated by the Runtime are only applied to pages that are served from the Runtime itself. In case the Blueriq Frontend is served from a CDN or via Reverse Proxy these headers will need to be configured from the CDN or Reverse Proxy, for the headers to be applied.

  • No labels

Didn't find the answer you were looking for? Try the advanced search