Server Response On Static Files

Last modified:

The error message "Server Response on static files" appears in the reports in the TYPO3 backend, if the server delivers files with multiple extension, e.g. "secret.html.txt" in the wrong MIME type (here as text/html instead of correctly as text/plain). This is a security vulnerability because editors can bypass the upload filter (e.g. no uploading of .html files in the fileadmin directory) in this way.

.

 

Problem solution

Add the following entries to your .htaccess file in the root path:

 

RemoveType .html .htm
RemoveType .svg .svgz
<FilesMatch ".+\.html?$">
    AddType text/html     .html .htm
</FilesMatch>
<FilesMatch ".+\.svgz?$">
    AddType image/svg+xml .svg .svgz
</FilesMatch>

 

Also, add to the .htaccess file in the fileadmin folder (you may need to create a whole new one):

 

<IfModule mod_headers.c>
  Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
</IfModule>

You need support?

As certified TYPO3 experts, we are happy to offer you professional TYPO3 Support.