SAP Knowledge Base Article - Public

3752541 - X-Content-Type-Options Header Missing on RMK Career Site - Recruiting Marketing

Symptom

When running Security assessment on the career site, "Website does not implement X-Content-Type-Options Best Practices". Technical finding code: x_content_type_options_missing. 

Environment

SAP SuccessFactors Recruiting

Resolution

As confirmed by SAP Security team, this is not a valid security/vulnerability issue. 
 
Since HSTS header is enabled, the browsers will automatically upgrade HTTP requests to HTTPS, HTTP is not effectively used for delivering application content. In this setup, all application content is served over HTTPS, where the X-Content-Type-Options: nosniff header is correctly configured and enforced.

See Also

  • 3044364 - Enabling Content Security Policy for RMK Site - Recruiting Marketing
  • 3476408 - Use of Default-src and Object-src directive in Content Security Policy of RMK Career site - Recruiting Marketing

Keywords

x-content-type-options, nosniff, http,  https redirect, header missing, security header, RMK, vulnerability , KBA , LOD-SF-RMK-PSI , Security , How To

Product

SAP SuccessFactors Recruiting all versions