I'm working through some security compliance test results and have got most of the required headers working. However "X-Content-Type-Options" doesn't seem to be recognized as enabled by any of the tests.
I've modified
Code: Select all
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
Code: Select all
${web.login.upstream.disable} add_header X-Frame-Options "SAMEORIGIN";
${web.login.upstream.disable} add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'";
${web.login.upstream.disable} add_header Referrer-Policy "strict-origin-when-cross-origin";
${web.login.upstream.disable} add_header Permissions-Policy "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(self), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self), usb=()";
Code: Select all
zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
Code: Select all
[zimbra@mail ~]$ zmprov gcf zimbraResponseHeader
zimbraResponseHeader: Strict-Transport-Security: max-age=31536000
zimbraResponseHeader: X-XSS-Protection: 1; mode=block
zimbraResponseHeader: Strict-Transport-Security: max-age=31536000; includeSubDomains
zimbraResponseHeader: X-Content-Type-Options: nosniff
If I delete the zimbraResponseHeader for "X-Content-Type-Options" and manually enter it into
Code: Select all
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
Code: Select all
zmproxyctl restart
So my question is, how do I get the "X-Content-Type-Options" header to be recognized?
Any suggestions will be greatly appreciated!