While perusing the latest release notes for PowerApps Portals, I came across a note that Microsoft has added support for the HTTP/X-Content-Type-Options HTTP Header. Since it’s something I’ve run into in the past, but not something that many Dynamics/Power Platform developers may have seen, I thought I’d provide a quick summary of what it’s for.
First, before explaining what it’s for, I’ll quickly mention how you enable this on your Portal. It’s very simple: create a Site Setting with the name of HTTP/X-Content-Type-Options and a value of nosniff. That’s all there is to it.
Note that your Portal must be at least v220.127.116.11 for this setting to work.
What does this little setting do? It tells browsers not to attempt to “sniff” the type of the files it is receiving from the server, and instead to always follow the value provided in the Content-Type header. In other words, browsers should trust that the server is sending the correct content type, and not try to figure it out for themselves.
See here for more details.
If you’re using a tool like https://pentest-tools.com/website-vulnerability-scanning/website-scanner, it will recommend that you configure this header with nosniff. If I had to guess, a customer of some importance raised this with Microsoft after running a tool like that, and since it would be a fairly simple thing to add, it was included as part of the latest release.
While sniffing make it easier for developers to be lazy and not properly set the Content-Type header, best practice would be to add the nosniff option to your Portal.