That's what I've done and 2 of our 3 servers have passed the audit check. The third one looks like needs some SSL/TLS tweaking (to match our other SSL-enabled server).
The line I've added to the config files is:
Header always Set X-Content-Type-Options nosniff
I tried it without the 'always' but it failed the audit scan.
Thanks!
TomH
________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of Hiebert, Chris <chris.hiebert@xxxxxxxxxxxxxx>
Sent: Wednesday, November 30, 2022 4:36 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: How do I set a couple of HTTP headers?
I tested this on V7R3.
Using the Web Admin UI.
Go into the server you want to update.
Under "Server Properties"
Select "HTTP Responses".
Select "Response Headers"
In the Response Headers Section click "Add".
I added the header name "X-Content-Type-Options" with the value "nosniff", left the condition as always and selected "continue".
This is what got added to the httpd.conf file:
Header always Set X-Content-Type-Options nosniff
The other option for the "Condition" was "Successful responses" and choosing that adds this to the httpd.conf file:
Header onsuccess Set X-Content-Type-Options nosniff
I manually set this value in the httpd.conf file and it appears to follow the "always" configuration:
Header Set X-Content-Type-Options nosniff
After saving and restarting the apache instance, I found that the Response Headers contained
X-Content-Type-Options: nosniff
I see the value in the Response Headers in both chrome and firefox.
You do not need run a LoadModule, the directive is available by default.
If you still don't see it, then I'd suggest adding the header through the Web Admin UI and see if IBM adds something new to the config file.
--
Chris Hiebert
Senior Programmer/Analyst
Disclaimer: Any views or opinions presented are solely those of the author and do not necessarily represent those of the company.
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Tom Hightower
Sent: Tuesday, November 29, 2022 5:27 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: How do I set a couple of HTTP headers?
Ok, so I've added these 2 lines to the top of my Apache config file:
LoadModule headers_module modules/mod_headers.so
Header set X-Content-Type-Options nosniff
And tried to restart the server. The server doesn't seem to like that first line and won't restart until I remove it. It takes the 2nd line, but I can't see that it's doing anything - I'm not seeing the 'nosniff' listed in the Headers when I look at our pages in Chrome Developer mode.
We're running 7.4...
Thanks
TomH
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.midrange.com%2Fmailman%2Flistinfo%2Fmidrange-l&data=05%7C01%7Ctomh%40idocket.com%7Ca9ba20523bdd46c3c01c08dad323695c%7Ccfcc5bb848014360aa721ecceeb7d0b3%7C0%7C0%7C638054446345207891%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=USBjpYEoYVn%2BBRNOBUGB3EA0MAsVib41RNHn%2FRsDjTw%3D&reserved=0
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.midrange.com%2Fmidrange-l&data=05%7C01%7Ctomh%40idocket.com%7Ca9ba20523bdd46c3c01c08dad323695c%7Ccfcc5bb848014360aa721ecceeb7d0b3%7C0%7C0%7C638054446345207891%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=O7QvSMOMva5Bkp4E9y1V2RGQ6NbR9EgejmQcpgmvlZY%3D&reserved=0.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Famazon.midrange.com%2F&data=05%7C01%7Ctomh%40idocket.com%7Ca9ba20523bdd46c3c01c08dad323695c%7Ccfcc5bb848014360aa721ecceeb7d0b3%7C0%7C0%7C638054446345207891%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YuToHZUe6%2FwcAZL9qi6LDgzRhHV8YF4COCr3lV7cnJA%3D&reserved=0
As an Amazon Associate we earn from qualifying purchases.