I'd caution you against adding/changing headers to just to make things
"match" with a working site without knowing what the headers mean.

For  one  example, the correct, registered MIME type for javascript is
application/javascript      (not      application/x-javascript     nor
text/javascript).  So  while playing around with headers can be useful
for troubleshooting, you do want to aim for the correct setup.

For  another,  you  can't  just  add  C-E:  gzip unless your server is
actually gzipping the file.

However,  the  C-E  difference does provide a clue. Perhaps the IPS or
other  intermediate  device  is  incapable  of streaming-unzipping the
gzipped  HTTP  data,  so  it just lets it go (this area of weakness is
present  in  a lot of simple security software), whereas when you send
it  unencoded,  it  attempts  to  scan  it -- and promptly has a false
positive for malicious content. Try setting up your server to actually
gzip  (it  will  usually add the header automatically in turn) and see
what happens.

What  I  find  most depressing is that the IT dept of this big company
won't  even  tell  you  what IPS rule is mis/firing. It's one thing to
"refuse to fix" -- I have done that myself when working in security --
but  to  not  even  tell  you  what  rule is causing the error is just
incompetent.  This  is  a big company's main website? How important is
their  web presence that they are just leaving the dev shooting in the
dark?

-- S.

Reply via email to