I scanned my web application with Acunetix Web Vulnerability Scanner and it says that php.ini content type is not specified.
Vulnerability description
This page doesn't set a Content-Type header value. This value informs the browser what kind of data to expect. If this header is missing, the browser may incorrectly handle the data. This could lead to security problems.
and the suggestion it gave on "How to fix this vulnerability" is "Set a Content-Type header value for this page. "
This is what I have in my php.ini
magic_quotes_gpc = Off;
register_globals = Off;
default_charset = "UTF-8";
memory_limit = 64M;
max_execution_time = 3600;
upload_max_filesize = 10M;
sql.safe_mode = Off;
mysql.connect_timeout = 20;
allow_url_fopen = Off;
;session.auto_start = Off;
;session.use_only_cookies = On;
;session.use_cookies = On;
;session.use_trans_sid = Off;
;session.cookie_httponly = On;
;session.gc_maxlifetime = 3600;
;session.cookie_secure =On;
;session.entropy_file = "/dev/urandom";
;display_errors = 1;
;error_reporting = E_ALL;
Question. How do I set a content-type header value in the php.ini file?
Check file permissions.
From the PHP manual:
By default, PHP will output a media type using the Content-Type header. To disable this, simply set it to be empty.
PHP's built-in default media type is set to text/html.
But your php.ini file is not served as a PHP page. You should not leave you php.ini file exposed to the web. More on PHP security here.