HTTP Response: Content Types

When a web server sends HTTP traffic, it usually adds a MIME type, or content type, to the packet header that shows what kind of content is in the packet. The HTTP header on the data stream contains this MIME type. It is added before the data is sent.

Certain kinds of content that users request from web sites can be a security threat to your network. Other kinds of content can decrease the productivity of your users. By default, the XTM device allows some safe content types, and denies MIME content that has no specified content type. The HTTP-proxy includes a list of commonly used content types that you can add to the ruleset. You can also add, delete, or modify the definitions.

The format of a MIME type is type/subtype. For example, if you wanted to allow JPEG images, you would add image/jpg to the proxy definition. You can also use the asterisk (*) as a wildcard. To allow any image format, you add image/*.

For a list of current, registered MIME types, see

Add, Delete, or Modify Content Types

  1. On the Edit page for the proxy, select the Proxy Action tab.
  2. From the HTTP Response drop-down list, select Content Types.
    The Content Types settings appear.

Screen shot of the HTTP-Client Edit Proxy Action page, HTTP Response Content Types settings

  1. Configure the rule action.
    For more information, see Add, Change, or Delete Rules.
  2. To change settings for another category in this proxy, see the topic for that category.
  3. Click Save.

If you modified a predefined proxy action, when you save the changes you are prompted to clone (copy) your settings to a new action.

For more information on predefined proxy actions, see About Proxy Actions.

Allow Web Sites with a Missing Content Type

By default, the XTM device denies MIME content that has no specified content type. In most cases, we recommend that you keep this default setting. Sites that do not supply legitimate MIME types in their HTTP responses do not follow RFC recommendations and could pose a security risk. However, some organizations need their employees to get access to web sites that do not have a specified content type.

You must make sure that you change the proxy action used by the correct policy or policies. You can apply the change to any policy that uses an HTTP-Client proxy action. This could be an HTTP-proxy policy, the Outgoing policy (which also applies an HTTP-Client proxy action), or the TCP-UDP policy.

To allow web sites with a missing content type:

  1. In the Content Types list, select the Enabled check box adjacent to the Allow (none) rule.
  2. Click Save.

See Also

About the HTTP-Proxy

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base