Allow json MIME type for Javascript Web Applications - Security Risks

MichaelVolz — Thu, 24 Oct 2013 17:13:44 GMT

To All Javascript Developers and Web Server Administrators:

I recently downloaded an ESRI javascript web application template to a web server. I tried to run the application using ArcGIS Online services, but it stalled on the splash page with a 404 error in Fiddler. With a little research and past experience, I determined that it was the json MIME type not being allowed through IIS that was throwing the 404 error. I added this MIME type and the javascript web application now works.

I am wondering if I am introducing any security risks to my server by allowing this additional MIME type as it is not in the MIME type list by default?

If there is a security risk, what other configuration changes do I need to make to the server to close this security risk?

Any help or information in regard to this post are greatly appreciated.

Re: Allow json MIME type for Javascript Web Applications - Security Risks

JeffPace — Fri, 25 Oct 2013 19:19:15 GMT

Is your IIS directly exposed to the internet/ in a DMZ? if so then yes, there are some json hijacking concerns

http://security.stackexchange.com/questions/7001/how-should-web-app-developers-defend-against-json-hijacking

I for one (besides the obvious dont use IIS) would recommend installing your application behind a Web Application Firewall and making sure you are doing request filtering to guard against attacks and exploits

We use mod-proxy
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

and keep our tomcat server internal allowing things only as necessary.

topic Re: Allow json MIME type for Javascript Web Applications - Security Risks in ArcGIS JavaScript Maps SDK Questions

Allow json MIME type for Javascript Web Applications - Security Risks

Re: Allow json MIME type for Javascript Web Applications - Security Risks