x-content-type-options header missing

[methuz...@gmail.com]

I run a my scan using 2.6. I get this particular alert. Is there any place in that explains these alerts and how to fix them? I have change my header response codes and to no avail. it keeps giving the same error. When I check my header info in the firefox developer tools section all my responses are correct. Also is it really necessary to change the header response of a css3 file? it makes no sense to me?

Oh and yes I am new with owasp zap. greatful for it, but new.

[Simon Bennetts]

Hiya,

The alert should give you more details about the problem.
Unfortunately its difficult for us to say how to fix every problem as there are so many platforms, technologies, frameworks etc etc and they all work in different ways :/
Can you paste the response headers for the relevant URL to this thread, obfuscating and sensitive information of course.
We can then hopefully give you some more advice.

Cheers,

Simon

[old man]

Thanks for responding. this email was in the wrong folder. found it!

Header:
header('Content-Type: text/html');
    header('X-Content-Type-Options: nosniff', false);
    //stop cacheing of page
    header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
    header("Cache-Control: post-check=0, pre-check=0", false);
    header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
    header("Pragma: no-cache"); // HTTP/1.0
    header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
    header("X-XSS-Protection: 1");
    header("X-Frame-Options: SAMEORIGIN");

Response:

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Date: [date here] 15:17:08 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=5, max=100
Last-Modified: [date here] GMT
Pragma: no-cache
Server: Apache/2.2.29 (Unix) mod_wsgi/3.4 Python/2.7.8 PHP/5.6.7 mod_ssl/2.2.29 OpenSSL/0.9.8zg DAV/2 mod_fastcgi/2.4.6 mod_perl/2.0.8 Perl/v5.20.0
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/5.6.7
X-XSS-Protection: 1

200 OK

i hope this is what you want. there is no copy and paste function with this software. did the best i could.

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/_Z5GbZ5X6GM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/0c51ac99-2b68-4cb1-83c5-0fdd5f5b3b6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[kingthorin+owaspzap]

In ZAP select the alert in question. Goto the response tab, select the headers copy/paste (use the context menu or ctrl-c & ctrl-v) them here.

[old man]

this is what I have. not the same as the response from firefox dev tools...

HTTP/1.1 200 OK
Date: [date]GMT

Server: Apache/2.2.29 (Unix) mod_wsgi/3.4 Python/2.7.8 PHP/5.6.7 mod_ssl/2.2.29 OpenSSL/0.9.8zg DAV/2 mod_fastcgi/2.4.6 mod_perl/2.0.8 Perl/v5.20.0

Last-Modified: [date]GMT
ETag: "1c3d8fd-1bc-54572a2888ec0"
Accept-Ranges: bytes
Content-Length: 444
Content-Type: text/html

[kingthorin+owaspzap]

Well there you have it, the header isn't being added to the response in question.

[old man]

okay, Please answer this one other question: do I really need header information for a css3 file or an included file for security? or is that just a quirk of the application zap and the way it penetrates? Oh and where is the best section of Help to learn about these things. thanks for your direction...

On Mon, Oct 23, 2017 at 8:19 PM, kingthorin+owaspzap <kingt...@gmail.com> wrote:

Well there you have it, the header isn't being added to the response in question.

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/_Z5GbZ5X6GM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/27cc53c3-0920-4bb2-9416-d2c6be797464%40googlegroups.com.

[kingthorin+owaspzap]

It "probably" doesn't apply in the case of css content. However you know your app/site better than us (hopefully). There could be circumstances or functionality where it's relevant.
Ultimately you can make the call in the end as a user. That's why the severity of findings is modifiable (incl. False Positive) and why there is an Alert's Filter extensions.

For help you can use the in-tool help, or check:
https://github.com/zaproxy/zap-core-help/wiki
https://github.com/zaproxy/zap-extensions/wiki

Or ask here :) That's why we have a User group :)