https://docs-old.ckeditor.com/index.php?action=history&feed=atom&title=Template%3ACkfinder_2.x_Securing_a_Publicly_Accessible_FolderTemplate:Ckfinder 2.x Securing a Publicly Accessible Folder - Revision history2026-05-16T22:05:32ZRevision history for this page on the wikiMediaWiki 1.29.1https://docs-old.ckeditor.com/index.php?title=Template:Ckfinder_2.x_Securing_a_Publicly_Accessible_Folder&diff=7431&oldid=prevAnna: Removed redundant bracket.2019-09-04T08:09:45Z<p>Removed redundant bracket.</p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 08:09, 4 September 2019</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>When integrating CKFinder, you will often want to give users access to uploaded files, so they can insert images or links to files into the edited content. This requires to make the folder publicly accessible, so all the files are served through the web server. If you rely on your web server to serve the files uploaded with CKFinder, you should take additional steps to make sure the files are served in a secure way.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>When integrating CKFinder, you will often want to give users access to uploaded files, so they can insert images or links to files into the edited content. This requires to make the folder publicly accessible, so all the files are served through the web server. If you rely on your web server to serve the files uploaded with CKFinder, you should take additional steps to make sure the files are served in a secure way.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Let us assume that you have configured your CKFinder to allow uploading of avi files. Even if the avi file is then served with a valid Content-Type: <code>video/x-msvideo</code> header, some browsers may ignore this information and perform additional checks on the raw file contents. If any HTML-like data is detected in the file content, the browser may decide to ignore information about the content type and handle the served content as if it was a regular web page. This behavior is called [https://en.wikipedia.org/wiki/Content_sniffing content sniffing] (also known as ''media type sniffing'' or ''MIME sniffing''), and in some circumstances, it may lead to security issues (for example, it may open door for XSS attacks<del class="diffchange diffchange-inline">)</del>).</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Let us assume that you have configured your CKFinder to allow uploading of avi files. Even if the avi file is then served with a valid Content-Type: <code>video/x-msvideo</code> header, some browsers may ignore this information and perform additional checks on the raw file contents. If any HTML-like data is detected in the file content, the browser may decide to ignore information about the content type and handle the served content as if it was a regular web page. This behavior is called [https://en.wikipedia.org/wiki/Content_sniffing content sniffing] (also known as ''media type sniffing'' or ''MIME sniffing''), and in some circumstances, it may lead to security issues (for example, it may open door for XSS attacks).</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>To avoid content sniffing, you should make sure that your server adds the <code>X-Content-Type-Options: nosniff</code> header to all HTTP responses when serving files from the publicly available folder. The <code>X-Content-Type-Options</code> response HTTP header is a marker used by the server to indicate that the MIME type set by the <code>Content-Type</code> header should not be changed and should be followed. As a result, the browser does not perform any content sniffing on the received content.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>To avoid content sniffing, you should make sure that your server adds the <code>X-Content-Type-Options: nosniff</code> header to all HTTP responses when serving files from the publicly available folder. The <code>X-Content-Type-Options</code> response HTTP header is a marker used by the server to indicate that the MIME type set by the <code>Content-Type</code> header should not be changed and should be followed. As a result, the browser does not perform any content sniffing on the received content.</div></td></tr>
<!-- diff cache key ckeditor_docsold:diff:version:1.11a:oldid:7418:newid:7431 -->
</table>Annahttps://docs-old.ckeditor.com/index.php?title=Template:Ckfinder_2.x_Securing_a_Publicly_Accessible_Folder&diff=7418&oldid=prevP.Wiaderny: Created page with "When integrating CKFinder, you will often want to give users access to uploaded files, so they can insert images or links to files into the edited content. This requires to ma..."2019-08-21T10:51:12Z<p>Created page with "When integrating CKFinder, you will often want to give users access to uploaded files, so they can insert images or links to files into the edited content. This requires to ma..."</p>
<p><b>New page</b></p><div>When integrating CKFinder, you will often want to give users access to uploaded files, so they can insert images or links to files into the edited content. This requires to make the folder publicly accessible, so all the files are served through the web server. If you rely on your web server to serve the files uploaded with CKFinder, you should take additional steps to make sure the files are served in a secure way.<br />
<br />
Let us assume that you have configured your CKFinder to allow uploading of avi files. Even if the avi file is then served with a valid Content-Type: <code>video/x-msvideo</code> header, some browsers may ignore this information and perform additional checks on the raw file contents. If any HTML-like data is detected in the file content, the browser may decide to ignore information about the content type and handle the served content as if it was a regular web page. This behavior is called [https://en.wikipedia.org/wiki/Content_sniffing content sniffing] (also known as ''media type sniffing'' or ''MIME sniffing''), and in some circumstances, it may lead to security issues (for example, it may open door for XSS attacks)).<br />
<br />
To avoid content sniffing, you should make sure that your server adds the <code>X-Content-Type-Options: nosniff</code> header to all HTTP responses when serving files from the publicly available folder. The <code>X-Content-Type-Options</code> response HTTP header is a marker used by the server to indicate that the MIME type set by the <code>Content-Type</code> header should not be changed and should be followed. As a result, the browser does not perform any content sniffing on the received content.</div>P.Wiaderny