X-Content-Type-Options HTTP Header
Web servers should state the file type for any files download, but sometimes browsers will try to be helpful as possible, and guess the file type by reading bits of it. This can lead to security issues. For example a browser could download a file called index.html containing application code and a virus. Now a user might think is a HTML file and so safe to download, but if the browser realises it's an application and download and execute it. The X-Content-Type-Options HTTP header allows you to tell the browser that, even if the file contents look different than what the server said it was, it should still treat it like the file type it was told it was, and not try to guess the file type.
How to set it up
Add the X-Content-Type-Options: nosniff header to your web server. In Apache, that would be set with the following config:
This is supported by Chrome and Internet Explorer but not yet by Firefox - but coming very soon.
It's not a standardized header, and so support is limited. It will also add 31 bytes to each request, but in this day and age that's a very small amount and personally I think it's worth it for the potential added protection.
This HTTP can add security to some browsers, and there is no real downside to setting it on your server (ignoring the small number of bytes it occupies), so we recommend setting it.
Want to read more?
More resources on X-Content-Type-Options HTTP Header:
- OWASP Security Headers page.
- Securityheaders.io - a nice little website to report on, and advise on HTTP security headers.
- Does X-Content-Type-Options really prevent content sniffing attacks?
This page was originally created on and last edited on .Tweet