X-Content-Type-Options HTTP Header
What Is X-Content-Type-Options?
Web-based security risks are quite prevalent in today’s technological age. Therefore, it is important to implement certain security measures to help avoid having your website compromised by an attacker. The X-Content-Type-Options is an HTTP header used to do just that - increase the security of your website. This post will explain what you need to know regarding how exactly the X-Content-Type-Options header works and how you can easily add it to your web server in just a couple of steps.
How Does X-Content-Type-Options Work?
The X-Content-Type-Options header is used to protect against MIME sniffing vulnerabilities. These vulnerabilities can occur when a website allows users to upload content to a website however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website.
However, this security header helps prevent these types of attacks by disabling the MIME sniffing functionality of IE and Chrome browsers so that the browser is required to use the MIME type sent via the origin server. Consider the following example of how X-Content-Type-Options works for a particular web request.
- A Chrome client makes a request to a web server for an asset (e.g. image.jpg).
- A response is sent back with the header
X-Content-Type-Options: nosniff. This prevents the client from “sniffing” the asset to try and determine if the file type is something other than what is declared by the server.
- The browser then accepts the MIME type defined by the origin server and displays the asset to the viewer.
What Does It Not Protect Against?
X-Content-Type-Options: nosniff header does not protect against all sniffing-related vulnerabilities. As previously mentioned, this header is currently only honoured by Chrome and certain versions of Internet Explorer. Therefore, if an unsupported browser accessed an asset which sends back this particular response header, it won’t have any effect.
Similarly, if a plugin or extension (e.g. Flash) is being used to fetch resources and also does not support this security header, there will be no protection in that scenario either.
Enabling the X-Content-Type-Options Header
To enable this security header on your origin server is quite easily and can be done in just a couple steps. Depending upon which web server you’re using will determine which snippet you should add to your server’s configuration file. The following section outlines what needs to be added to both Nginx and Apache web servers.
For Nginx users, add the following snippet to your .conf file. Once done, save your changes and reload Nginx.
add_header X-Content-Type-Options "nosniff"
For Apache users, simply add the following snippet to your .htaccess file. Once done, save your changes.
Header set X-Content-Type-Options "nosniff"
Enabling your web server to deliver the X-Content-Type-Options header is quite simple to do. Although this web security header currently does not protect against all forms of XSS attacks, it is easy to implement and is certainly a step in the right direction towards a safer website.