Impact of setting glide.security.header.auto_set_x_content_type_options property

Ethan Davies
Mega Sage
Mega Sage

‎08-15-2023 07:49 AM

Hey all,

 

I have been looking into some of the Instance Hardening properties and came across the recommendation to set the glide.security.header.auto_set_x_content_type_options to true. As I understand setting this to TRUE will help mitigate the risk of MIME Confusion attacks by requiring the Content Type to be specified in the HTTPS Respone.

 

I am trying to understand the impact of enabling this in an environment where there are existing integrations inbound and outbound, both SOAP and REST. What are your experiences in enabling this property and are there any big risks or foreseen impacts that come to mind?

 

Thanks,

Ethan

0 Helpfuls
  • 1,511 Views
6 REPLIES 6

Gemma4
Mega Sage
In response to J McMillan

‎02-22-2024 03:42 PM

Just an fyi I reached out to support on this. Below are the details of what I completed and the problem ticket created

 

support will involve Dev team now as there is PRB1712496 for this issue
Details completed below

1In test and dev I added security center 1.4. (under all available applications)Toggle6after compliant.PNGComplianceChanged to Compliant.PNGInstanceSecurityCenterNotSaving4.PNGError InstanceSecurityCenterApp 3 Test.PNGError Global App2 test.PNGsecurity center 1.4 Test.PNG

2I tried adding the property
glide.security.header.auto_set_x_content_type_options
with Global app, received the attached error(same as before).

3I then tried adding the property
glide.security.header.auto_set_x_content_type_options
with app instance security center and I received an error, but the property did save. See attached.

4 However, after adding the property, when viewing instance security center the property still viewed as non compliant. see attached. (Medium-Security Best Practices-Non-Compliant - Auto Set Content Type Options) I enabled the toggle to true and saved, but the property does not save to true

5 Finally, from instance security center, I accessed the item and manually marked it compliant. See attached. Currently, it is showing compliant. However, I am not sure if this was the best approach to setting it compliant or if there are prerequisites not completed and that is why initially it did not display as compliant after the property was added

0 Helpfuls

dangileri1
Tera Expert
In response to Gemma4

‎02-23-2024 11:23 AM

I just went back and forth with SN on this issue and the end result was that this security concern listed in ISC appears to be out of date in the current hardening baselines and it seems to have been deprecated previously and to use Security Center from this point forward, the checks there are current.

 

Hope that helps...

David