X-Content-Type-Options not recognized

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
12313jimbo
Advanced member
Advanced member
Posts: 114
Joined: Fri Sep 12, 2014 10:01 pm

X-Content-Type-Options not recognized

Post by 12313jimbo »

Hello,

I'm working through some security compliance test results and have got most of the required headers working. However "X-Content-Type-Options" doesn't seem to be recognized as enabled by any of the tests.

I've modified

Code: Select all

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
and added the following lines which seem to work with the other security headers:

Code: Select all

${web.login.upstream.disable} add_header X-Frame-Options "SAMEORIGIN";
${web.login.upstream.disable} add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline';  font-src 'self'; frame-src 'self'; object-src 'none'";
${web.login.upstream.disable} add_header Referrer-Policy "strict-origin-when-cross-origin";
${web.login.upstream.disable} add_header Permissions-Policy "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(self), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self), usb=()";
I've added the "X-Content-Type-Options" header via:

Code: Select all

zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
So that the following zimbraResponseHeaders are configured:

Code: Select all

[zimbra@mail ~]$ zmprov gcf zimbraResponseHeader
zimbraResponseHeader: Strict-Transport-Security: max-age=31536000
zimbraResponseHeader: X-XSS-Protection: 1; mode=block
zimbraResponseHeader: Strict-Transport-Security: max-age=31536000; includeSubDomains
zimbraResponseHeader: X-Content-Type-Options: nosniff
Doing a quick and dirty scan at https://securityheaders.com still shows that the "X-Content-Type-Options" is not present.

If I delete the zimbraResponseHeader for "X-Content-Type-Options" and manually enter it into

Code: Select all

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
followed by a

Code: Select all

zmproxyctl restart
as the others were added, the web client becomes unreachable.

So my question is, how do I get the "X-Content-Type-Options" header to be recognized?

Any suggestions will be greatly appreciated!
Post Reply