Proper X-Content-Type-Options Implementation

⇤ Web Application Header Assessment

Required for both HTTP/1.1 and HTTP/1.0

Multipurpose Internet Mail Extensions (MIME) sniffing (also known as “content sniffing”) can occur when a website allows users to upload data to the server.

Proper X-Content-Type-Options implementation is important to ensure the correct content type. A user may upload an HTML page while the web server expects a different content type. The web server sends the data back to a browser, the browser may interpret it as a web page even though the web server intended it to be (say) a CSV.

See the Fetch Living Standard for details on the processing performed by browsers.

See finding messages.

Recommendations

• Concatenate all the X-Content-Type-Options headers together.
• Set the X-Content-Type-Options header to “nosniff.”