ecLearn - Learning Management System built on top of Microsoft Dataverse for Power Platform and Dynamics 365 users

ENGINEERED CODE BLOG

PowerApps Portals: Support for X-Content-Type-Options HTTP Header

Posted on October 3, 2019 by Nicholas Hayduk

While perusing the latest release notes for PowerApps Portals, I came across a note that Microsoft has added support for the HTTP/X-Content-Type-Options HTTP Header. Since it’s something I’ve run into in the past, but not something that many Dynamics/Power Platform developers may have seen, I thought I’d provide a quick summary of what it’s for.

The How

First, before explaining what it’s for, I’ll quickly mention how you enable this on your Portal. It’s very simple: create a Site Setting with the name of HTTP/X-Content-Type-Options and a value of nosniff. That’s all there is to it.

Note that your Portal must be at least v9.1.9.67 for this setting to work.

The Why

What does this little setting do? It tells browsers not to attempt to “sniff” the type of the files it is receiving from the server, and instead to always follow the value provided in the Content-Type header. In other words, browsers should trust that the server is sending the correct content type, and not try to figure it out for themselves.

See here for more details.

If you’re using a tool like https://pentest-tools.com/website-vulnerability-scanning/website-scanner, it will recommend that you configure this header with nosniff. If I had to guess, a customer of some importance raised this with Microsoft after running a tool like that, and since it would be a fairly simple thing to add, it was included as part of the latest release.

It’s meant for servers hosting untrusted (i.e. user-uploaded) content. One of the main risks this header is trying to address is putting JavaScript code in files where it is not meant to be. Say your website allowed users to upload text files to a forum. One thing you’d probably want to do is ensure that the Content-Type was always something like text/plain so that even if the text file contained JavaScript, the browser wouldn’t execute it. Instead, if a browser was trying to be smart and “sniff” the actual type of the file, then it might recognize it as JavaScript, and allow it to be executed.

While sniffing make it easier for developers to be lazy and not properly set the Content-Type header, best practice would be to add the nosniff option to your Portal.

One response to “PowerApps Portals: Support for X-Content-Type-Options HTTP Header”

  1. PowerApps Portals: Support for X-Content-Type-Options HTTP Header - Microsoft Dynamics 365 Community says:
    October 3, 2019 at 9:05 am

    […] post PowerApps Portals: Support for X-Content-Type-Options HTTP Header appeared first on Engineered […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact

Engineered Code is a web application development firm and Microsoft Partner specializing in web portals backed by Dynamics 365 & Power Platform. Led by a professional engineer, our team of technology experts are based in Regina, Saskatchewan, Canada.