Problem
By default, resources served from an Azure Storage Account do not include the X-Content-Type-Options
header in their responses. This omission can pose a security risk. According to webhint:
"Sometimes the metadata browsers need to know how to interpret the content of a resource is either incorrect, not reliable, or absent. In those cases, browsers use contextual clues that inspect the bytes of the response to detect the file format. This is known as MIME sniffing and it is done regardless of the specified
Content-Type
HTTP header sent by servers."
Solution
To address this issue, you need to integrate a Content Delivery Network (CDN) with your storage account. Follow the steps outlined in this official Azure documentation to set up a CDN.
Once the CDN is in place, go to "Rules engine" section of the CDN, under Global rule, add an action to "Modify Response Header".
With values:
- Action:
Append
- HTTP header name:
X-Content-Type-Options
- HTTP header value:
nosniff
After saving the rule, allow a few moments for the changes to take effect. In some cases, you might also need to purge the CDN endpoint to ensure that the new settings are applied immediately.
With these changes, all outgoing requests from your Azure Storage Account via the CDN will include the X-Content-Type-Options: nosniff
header in the response, enhancing the security of your served resources.
Comments