Security considerations in MIME-Type configuration

Posted . Visible to the public.

When you are using the default MIME-Type configuration and your application allows uploading files, it can be a security issue.

Example:

A user uploads a file with HTML/JavaScript content using no file extension.

In the Apache default configuration if you access the file it will have no Content-Type. Some browsers will guess/autodetect it as HTML and now you are vulnerable to XSS.

To prevent this, you can set a default Content-Type (e.g. plain/text or application/octet-stream).

Last edit
Kim Klotz
License
Source code in this card is licensed under the MIT License.