Feature: #91354 - Integrate server response security checks¶
See forge#91354
Description¶
In order to evaluate potential server misconfigurations and to reduce the potential of security implications in general, a new HTTP response check is integrated to "Environment Status" and the "Security" section in the reports module.
Impact¶
It is evaluated whether non-standard file extensions lead to unexpected
handling on the server-side, such as test.php.wrong
being evaluated
as PHP or test.html.wrong
being served with text/html
content type.
Besides that, HTTP host header injection is evaluated. In case HTTP_HOST
or
SERVER_NAME
were reported to contain unexpected values, this is an indicator
for being affected by this configuration flaw. For Apache web servers, using the
configuration directive UseCanonicalName On
might solve this problem.
Details are explained in TYPO3 Security Guidelines for Administrators.