I'm using a security scanning tool to check for vulnerabilities of my web application.
One of the results was a low warning about X-Content-Type-Options header being missing.
After some digging around, I found this post on setting apache to emit nosniff headers and I put this code in to httpd.conf
file;
<IfModule mod_headers.c>
Header unset ETag
Header set X-Frame-Options: deny
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options: nosniff
Header set X-WebKit-CSP: "default-src 'self'"
Header set X-Permitted-Cross-Domain-Policies: "master-only"
</IfModule>
And it worked! But then, my security scanning tool discovered that the 404 Not Found page on my web server was still giving me this warning. I'm guessing that the 404 error page is set to ignore the above rule somehow..
Can someone explain to me how to change this code or suggest an alternative so that error pages are included?
Could someone also maybe explain what the code above is doing? I don't actually know what IfModule
or mod_headers.c
actually means. Maybe that's why I'm having trouble in the first place.