By default beginning at 10.7, ArcGIS Server sends a no-sniff header message with each HTTP response instructing the user's web browser to honor the content type of the response.
This header blocks the browser from MIME-sniffing, in which a browser attempts to determine the content type of a response and changes the content type for the user. MIME-sniffing exposes the user to potential cross-site scripting (XSS) attacks. The no-sniff header is an effective defense against XSS.
Administrators can disable the no-sniff header. Because it is a security best practice to keep this header enabled, administrators should be cautious and understand the risks involved with disabling it. Follow the steps below to disable the header using the REST API:
- Open the ArcGIS Server Administrator Directory. The URL is formatted https://server.domain.com:6443/arcgis/admin.
- Click system > properties > update.
- Add the following text in the Properties text box:
- Click to confirm the update.
The server is restarted.
To enable the header in the future, update the JSON properties file so the EnableNosniffHeader property has a value of true.