- September 12, 2023: Separated finding messages.
- October 15, 2021: Added recommendations and processing details resource.
- September 10, 2018: Published.
⇤ Web Application Header Assessment
Required for both HTTP/1.1 and HTTP/1.0
Multipurpose Internet Mail Extensions (MIME) sniffing (also known as “content sniffing”) can occur when a website allows users to upload data to the server.
Proper X-Content-Type-Options implementation is important to ensure the correct content type. A user may upload an HTML page while the web server expects a different content type. The web server sends the data back to a browser, the browser may interpret it as a web page even though the web server intended it to be (say) a CSV.
See the Fetch Living Standard for details on the processing performed by browsers.
See finding messages.
Recommendations
- Concatenate all the X-Content-Type-Options headers together.
- Set the X-Content-Type-Options header to “nosniff.”