The X-Content-Type-Options header is a security header used to protect web browsers from certain types of attacks related to content type sniffing. It is designed to mitigate risks associated with browsers interpreting files in a way that might differ from the intended MIME type, which could lead to security vulnerabilities.
Purpose of X-Content-Type-Options
The primary purpose of X-Content-Type-Options is to prevent browsers from interpreting files as a different MIME type than declared by the server. This is important because some browsers may attempt to “sniff” or guess the content type of a file based on its content, especially when the server-provided MIME type seems inconsistent or is missing.
How X-Content-Type-Options Works
The X-Content-Type-Options header has a single directive:
nosniff | This directive instructs the browser not to perform content type sniffing and to rely solely on the provided Content-Type header. |
This is what it looks like:
X-Content-Type-Options: nosniff
When a web server includes the X-Content-Type-Options: nosniff header in its HTTP response, it informs the browser that it should not attempt to interpret the content type of files but instead adhere strictly to the Content-Type header provided by the server.
Scenario Without X-Content-Type-Options:
Here is a scenario that shows how this works when a bad actors performs an attack and the X-Content-Type-Options is not set:
| 1 | An attacker uploads a file to a server, disguising it as an image by using a .jpg extension. |
| 2 | The server fails to set the correct Content-Type header, or it sets it as text/html. |
| 3 | A user accesses the file, and the browser, noticing the incongruence between the declared Content-Type and the file extension, decides to sniff the content. |
| 4 | The browser may interpret the file as HTML, potentially leading to Cross-Site Scripting (XSS) attacks. |
Scenario With X-Content-Type-Options:
Here is a scenario that shows how this works when a bad actors performs an attack and the X-Content-Type-Options is set:
| 1 | The server sends the X-Content-Type-Options: nosniff header along with the correct Content-Type for a file. |
| 2 | The browser strictly follows the server-provided Content-Type and does not attempt to sniff or interpret the content in a different way. |
Configure X-Content-Type-Options via Web Servers
More detailed instructions on how to configure security headers available here. Below assumes you know where to configure the headers relative to web server type:
Apache
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
NGINX
add_header X-Content-Type-Options "nosniff";