X-Content-Type-Options

Prevent MIME types of security risk by adding this header to your web page’s HTTP response. Having this header instructs browser to consider file types as defined and disallow content sniffing. There is only one parameter you got to add “nosniff”.

Let’s see how to advertise this header.

Apache

You can do this by adding the below line in httpd.conf file

Header set X-Content-Type-Options nosniff

Don’t forget to restart the Apache webserver to get the configuration active.

Nginx

Add the following line in nginx.conf file under server block.

add_header X-Content-Type-Options nosniff;

As usual, you got to restart the Nginx to check the results.

Microsoft IIS

Open IIS and go to HTTP Response Headers

Click on Add and enter the Name and Value

Click OK and restart the IIS to verify the results.

X-Content-Type-Options

This HTTP header is typically used to control the MIME Type Sniffing function in web browsers. MIME Type Sniffing is a content evaluation function used by browsers when the content type is not specified. Basically, if the Content-Type header is blank or missing, the browser ‘sniffs’ the content and attempts to display the source in the most appropriate way.

However, if used in conjunction with an upload functionality, this sniffing process can pose some risks, so developers should be really careful how to use this header. Below is an example highlighting the security risk.

Text File Upload Example

Let’s suppose that a user can upload a text file to a website. If the uploaded file includes HTML, script tags or Javascript code, and we don’t specify a Content-Type as we return it, this is what happens:

  • The browser will sniff the content
  • Decide that it’s a text/html type of file, and
  • Run the code inside

Even the image files that are uploaded to our websites should include the Content-Type header when returned to the user. Otherwise, script and other malicious code could be injected into the metadata of image files (EXIF data) and be executed.

To prevent the browser from sniffing the page’s content and deciding on which MIME type to use, use the X-Content-Type-Options header with the nosniff directive:

X-Content-Type-Options: nosniff
 

Check Your Security Headers

HTTP security headers are a fundamental part of website security

‘HTTP Security Response Headers’ allow a server to push additional security information to web browsers and govern how the web browsers and visitors are able to interact with your web application.

Scroll to Top