Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Proper X-Content-Type-Options Implementation

Ingrid

⇤ Web Application Header Assessment

This documentation pertains to the Web Application Headers (WAH) risk vector, which was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.

Required for both HTTP/1.1 and HTTP/1.0

Multipurpose Internet Mail Extensions (MIME) sniffing (also known as “content sniffing”) can occur when a website allows users to upload data to the server.

Proper X-Content-Type-Options implementation is important to ensure the correct content type. A user may upload an HTML page while the web server expects a different content type. The web server sends the data back to a browser, the browser may interpret it as a web page even though the web server intended it to be (say) a CSV.

See the Fetch Living Standard for details on the processing performed by browsers.

See finding messages.

Recommendations

  • Concatenate all the X-Content-Type-Options headers together.
  • Set the X-Content-Type-Options header to “nosniff.”
  • September 12, 2023: Separated finding messages.
  • October 15, 2021: Added recommendations and processing details resource.
  • September 10, 2018: Published.
Was this article helpful?
9 out of 15 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.