The views and opinions expressed in this blog are those solely of the author(s) and do not necessarily reflect Microsoft’s current policy, position, or branding. For official announcements and guidance on Dynamics 365 apps and services, please visit the Microsoft Dynamics 365 Blog.
See the Problem Solver of the Month for DecemberCongratulations to Ievgen Miroshnikov for be selected in a random drawing on Jan. 2 for in our monthly Dynamics 365 Community Problem Solver Sweepstakes.
Read aboug Ievgen | Learn how to enter
2019 release wave 2 Discover the latest updates and new features to Dynamics 365 planned through March 2020
Release overview guides and videos Release Plan | Preview 2020 Release Wave 1 Timeline
Ace your Dynamics 365 deployment with packaged services delivered by expert consultants. | Explore service offerings
Connect with the ISV success team on the latest roadmap, developer tool for AppSource certification, and ISV community engagements | ISV self-service portal
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Program | Finance TechTalks | Customer Engagement TechTalks | Upcoming TechTalks
While perusing the latest release notes for PowerApps Portals, I came across a note that Microsoft has added support for the HTTP/X-Content-Type-Options HTTP Header. Since it’s something I’ve run into in the past, but not something that many Dynamics/Power Platform developers may have seen, I thought I’d provide a quick summary of what it’s for.
First, before explaining what it’s for, I’ll quickly mention how you enable this on your Portal. It’s very simple: create a Site Setting with the name of HTTP/X-Content-Type-Options and a value of nosniff. That’s all there is to it.
Note that your Portal must be at least v220.127.116.11 for this setting to work.
What does this little setting do? It tells browsers not to attempt to “sniff” the type of the files it is receiving from the server, and instead to always follow the value provided in the Content-Type header. In other words, browsers should trust that the server is sending the correct content type, and not try to figure it out for themselves.
See here for more details.
If you’re using a tool like https://pentest-tools.com/website-vulnerability-scanning/website-scanner, it will recommend that you configure this header with nosniff. If I had to guess, a customer of some importance raised this with Microsoft after running a tool like that, and since it would be a fairly simple thing to add, it was included as part of the latest release.
While sniffing make it easier for developers to be lazy and not properly set the Content-Type header, best practice would be to add the nosniff option to your Portal.
The post PowerApps Portals: Support for X-Content-Type-Options HTTP Header appeared first on Engineered Code.
Business Applications communities