This is a response HTTP header which is used as a marker by the server in order to indicate that the MIME types which are advertised in the Content-Type headers should not be changed and be followed. This header allows to opt-out of MIME type sniffing.
This header came into existence when it was introduced by Microsoft in IE 8 as a way for webmasters so as to block content sniffing that was taking place and could transform non-executable MIME types into executable ones. Other browsers also started introducing it since then, even if their MIME sniffing algorithms were less aggressive.
The site security testers mostly expect this header to be set.
We can successfully prevent a web browser for it to not interpret the files as something else completely than the one which has been declared by the content type, by use of this header.
Working of X-Content-Type-Options:
This header is useful in protecting against the “MIME sniffing” vulnerabilities. Such vulnerabilities can take place if any website would allow users to upload some content to a particular website, but however the mentioned user would disguise a specific file type as something else all together. This would provide them with a chance to do XSS and thereby compromise the website.
However, this header helps in preventing such types of attacks by means of disabling “MIME sniffing” functionality characteristic to IE browsers and the Chrome browsers in a way that the browser is needed to make use of MIME type that is sent through the origin server. The example below shows the working of this header for a specific web request
- A client using Chrome puts up a request to web server for any asset such as, “image.jpg”.
- So, a response is provided along with the “X-Content-Type-Options: nosniff” header. This instead would prevent client from “sniffing” the above mentioned asset so as to try and find out if the type of file is something different than what was originally declared by the server.
- Then browser would accept MIME type which had been defined through origin server and thereby display viewer the asset.
Enablement in Apache:
This can be done by adding the below mentioned syntax in “httpd.conf” file.
Header set X-Content-Type-Options nosniff
Then the server is restarted so as make the configuration effective.
Enablement in Nginx:
The below mentioned syntax must be added in to the “nginx.conf” file under the server block.
add_header X-Content-Type-Options nosniff;
The server is then restarted so as to view the results.
Enablement in Microsoft IIS:
At first, the IIS Manager is opened and then moved to “HTTP Response Headers”. “Add” is clicked where name and value of the header is provided. Then “OK” is clicked and server restarted so as to verify the results.