Community
Select to view content in your preferred language

Allow json MIME type for Javascript Web Applications - Security Risks

532
1
10-24-2013 10:13 AM
MichaelVolz
by
Esteemed Contributor
‎10-24-2013 10:13 AM
To All Javascript Developers and Web Server Administrators:

I recently downloaded an ESRI javascript web application template to a web server.  I tried to run the application using ArcGIS Online services, but it stalled on the splash page with a 404 error in Fiddler.  With a little research and past experience, I determined that it was the json MIME type not being allowed through IIS that was throwing the 404 error.  I added this MIME type and the javascript web application now works.

I am wondering if I am introducing any security risks to my server by allowing this additional MIME type as it is not in the MIME type list by default?

If there is a security risk, what other configuration changes do I need to make to the server to close this security risk?

Any help or information in regard to this post are greatly appreciated.
0 Kudos
1 Reply
JeffPace
by MVP Alum
MVP Alum
‎10-25-2013 12:19 PM
Is your IIS directly exposed to the internet/ in a DMZ? if so then yes, there are some json hijacking concerns

http://security.stackexchange.com/questions/7001/how-should-web-app-developers-defend-against-json-h...

I for one (besides the obvious dont use IIS) would recommend installing your application behind a Web Application Firewall and making sure you are doing request filtering to guard against attacks and exploits

We use mod-proxy
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

and keep our tomcat server internal allowing things only as necessary.
0 Kudos