site logoTune The Web
I've written a book! - click here to view or buy "HTTP/2 in Action" from Manning. Use code 39pollard to get 39% off!

X-Content-Type-Options HTTP Header

This page was originally created on and last edited on .

Introduction

Web servers should state the file type for any files download, but sometimes browsers will try to be helpful as possible, and guess the file type by reading bits of it. This can lead to security issues. For example a browser could download a file called index.html containing application code and a virus. Now a user might think is a HTML file and so safe to download, but if the browser realises it's an application and download and execute it. The X-Content-Type-Options HTTP header allows you to tell the browser that, even if the file contents look different than what the server said it was, it should still treat it like the file type it was told it was, and not try to guess the file type.

How to set it up

Add the X-Content-Type-Options: nosniff header to your web server. In Apache, that would be set with the following config:

#Prevent content sniffing where no mimetype is sent Header always set X-Content-Type-Options: nosniff

Support

This is supported by Chrome and Internet Explorer but not yet by Firefox - but coming very soon.

The downsides

It's not a standardized header, and so support is limited. It will also add 31 bytes to each request, but in this day and age that's a very small amount and personally I think it's worth it for the potential added protection.

Summary

This HTTP can add security to some browsers, and there is no real downside to setting it on your server (ignoring the small number of bytes it occupies), so we recommend setting it.

This page was originally created on and last edited on .

How useful was this page?
Loading interactions…