Joomla 3.9.3 Security Notes: Difference between revisions
From Joomla! Documentation
m New content position edited to not break editing of section |
Marked this version for translation |
||
| Line 11: | Line 11: | ||
===Changes for .htaccess=== <!--T:1--> | ===Changes for .htaccess=== <!--T:1--> | ||
</translate> | </translate> | ||
<translate>''''For Apache Web Servers''''</translate> | <translate><!--T:10--> ''''For Apache Web Servers''''</translate> | ||
<translate><!--T:2--> Add the following lines before <tt>## Mod_rewrite in use</tt>:</translate> | <translate><!--T:2--> Add the following lines before <tt>## Mod_rewrite in use</tt>:</translate> | ||
| Line 22: | Line 22: | ||
===Changes for web.config=== <!--T:3--> | ===Changes for web.config=== <!--T:3--> | ||
</translate> | </translate> | ||
<translate>'''''For Microsoft IIS Web Server'''''</translate> | <translate><!--T:11--> '''''For Microsoft IIS Web Server'''''</translate> | ||
<translate><!--T:4--> Add the following lines right after <tt></rewrite></tt>:</translate> | <translate><!--T:4--> Add the following lines right after <tt></rewrite></tt>:</translate> | ||
| Line 36: | Line 36: | ||
===Changes for Nginx=== <!--T:8--> | ===Changes for Nginx=== <!--T:8--> | ||
</translate> | </translate> | ||
<translate>'''''For Nginx Web Server'''''</translate> | <translate><!--T:12--> '''''For Nginx Web Server'''''</translate> | ||
<translate> | <translate> | ||
<!--T:9--> | <!--T:9--> | ||
Latest revision as of 04:44, 17 April 2019
.htaccess and web.config Security Update
Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in web browsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities. The Joomla Security Strike Team recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.
Changes for .htaccess
'For Apache Web Servers' Add the following lines before ## Mod_rewrite in use:
<IfModule mod_headers.c> Header always set X-Content-Type-Options "nosniff" </IfModule>
Changes for web.config
For Microsoft IIS Web Server Add the following lines right after </rewrite>:
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
Changes for Nginx
For Nginx Web Server In case you are using Nginx webserver, add the following parameter under the server block in your Nginx configuration /etc/nginx/nginx.confː
http {
add_header X-Content-Type-Options nosniff;
}