J3.x

Joomla 3.9.3 Security Notes/sv: Difference between revisions

From Joomla! Documentation

Newer edit →
Created page with "J3.x:Joomla 3.9.3 Säkerhetsnoteringar"
 
Created page with "== Säkerhetsuppdatering av .htaccess och web.config =="
Line 1: Line 1:
<noinclude><languages /></noinclude>
<noinclude><languages /></noinclude>
==.htaccess and web.config Security Update==
== Säkerhetsuppdatering av .htaccess och web.config ==
Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default <tt>htaccess.txt</tt> and <tt>web.config.txt</tt> files. These hardenings disable the so called MIME-type sniffing feature in web browsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.
Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default <tt>htaccess.txt</tt> and <tt>web.config.txt</tt> files. These hardenings disable the so called MIME-type sniffing feature in web browsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.
The Joomla Security Strike Team recommends to manually apply the necessary changes to existing <tt>.htaccess</tt> or <tt>web.config</tt> files, as those files can not be updated automatically.
The Joomla Security Strike Team recommends to manually apply the necessary changes to existing <tt>.htaccess</tt> or <tt>web.config</tt> files, as those files can not be updated automatically.

Revision as of 16:18, 13 February 2019

Other languages:

Säkerhetsuppdatering av .htaccess och web.config

Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in web browsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities. The Joomla Security Strike Team recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.

Changes for .htaccess

Add the following lines before ## Mod_rewrite in use: 

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

Changes for web.config

Add the following lines right after </rewrite>: 

<httpProtocol>
  <customHeaders>
    <add name="X-Content-Type-Options" value="nosniff" />
  </customHeaders>
</httpProtocol>
Retrieved from "https://docs.sandbox.joomla.org/index.php?title=J3.x:Joomla_3.9.3_Security_Notes/sv&oldid=593238"