Set X-Content-Type-Options header in IIS web.config

Created on 26 January 2023, over 2 years ago

Problem/Motivation

In #462950: Mitigate the security risks that come from IE, Chrome and other browsers trying to sniff the mime type → and then further in 🐛 Duplicate X-Content-Type-Options headers both with the value nosniff Fixed we ensure that the X-Content-Type-Options header is correctly set on all responses from Drupal, whether they are served by PHP or as static content.

The header is set for static content in .htaccess so currently this only works in Apache. According to https://serverfault.com/a/904278, custom headers can also be set in web.config for IIS.

Steps to reproduce

Proposed resolution

Add a <customHeaders> block to web.config.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

📌 Task

Status

Active

Version

10.1 ✨

Component

Base →

Last updated about 7 hours ago

Maintained by
🇺🇸United States @effulgentsia
🇬🇧United Kingdom @catch
🇬🇧United Kingdom @alexpott
🇦🇺Australia @larowlan
🇺🇸United States @bnjmnm
🇫🇷France @nod_
🇪🇸Spain @ckrina
🇬🇧United Kingdom @justafish

Created by

🇬🇧United Kingdom longwave UK

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Comments & Activities

Issue created by @longwave
Comment over 2 years ago →
🇬🇧United Kingdom alexpott 🇪🇺🌍
One issue is that web.config completely untested and I know of no one who uses IIS and Drupal. There must be people who do and maybe the move to gitlab will mean that we can finally run a limited set of tests on IIS...
Comment over 2 years ago →
🇬🇧United Kingdom longwave UK
I also imagine there are far more users running nginx and php-fpm than IIS, yet we don't ship config for that - maybe web.config should be relegated to documentation on drupal.org.
Status changed to Closed: outdated about 1 month ago10:38pm 18 May 2025
Comment about 1 month ago →
🇫🇷France prudloff Lille
web.config has been removed entirely: https://www.drupal.org/node/3440842 →

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024