Wednesday, May 2, 2018

OHS Security Header prevents images loading


Did you ever add security header X-Content-Type-Options in OHS server configuration to prevent mime based attacks? Since IAM involves lot of security, lot of these security headers are required to be configured at OHS layer to prevent cross site scripting and mime etc.,
Some of the security headers comes with compatibility issues with few browsers for eg., X-Content-Type-Options. We had to deploy custom OAM form pages into OAM servers and proxy it through OHS for general requirements. Since this header was coming in HTTP request headers, it is preventing to load images on Custom OAM form page.
Form page is accessible through direct OAM server URL however it is failing to load via OHS. Thus we had to comment out below line for images to render on custom OAM form jsp page.

#Header always set X-Content-Type-Options "nosniff"

Hope this helps.

No comments:

Post a Comment