Tuesday, October 27, 2020

How to use the X-Content-Type-Options HTTP header in your web application

What is the HTTP Strict-Transport-Security header & how to implement in your web application?

This header has only one value. It instructs a browser to adhere to the MIME types given in the Content-Type headers and instructs browsers that these instructions should never be changed or not followed.

For example, when this header is set correctly if the server says the content is text/html, the browser will only render it as text/html

However, if a browser requests a script, but that script is served with an incorrect media type (e.g. x/x), the browser will still detect the script and execute it. Naturally, this could be a problem if used by attackers on your web application.

This header helps to counter the following attacks:

  • MIME Confusion Attack where attacks via user-generated content sites by users who are allowed to upload malicious code. In such attacks, these uploads can then be executed by browsers by interpreting the files using alternate content types, e.g. implicit application/javascript versus the explicit text/plain.
  • Unauthorized Hotlinking which can also be enabled by Content-Type sniffing. This type of attack quickly adds up to a big toll on performance, slowing down your application and also allowing the attacker to divert your user elsewhere.

How to correctly implement the X-Content-Type-Options header in Apache

The correct syntax for this header in Apache is in the <VirtualHost *:443> block of your httpd.conf or equivalent file:

Header always set X-Content-Type-Options "nosniff"

Restart your Apache server to ensure these configurations are implemented by client browsers. You can use either the sudo systemctl restart apache2 or sudo service apache2 restart command to restart your Apache server, depending on your OS version.

How to correctly implement the X-Content-Type-Options header in nginx

The correct syntax for this header in Nginx is in the server block of your nginx.conf or equivalent file:

add_header X-Content-Type-Options "nosniff" always;

A graceful restart of your nginx webserver with the sudo systemctl reload nginx command to ensure that these changes take effect. Alternatively, you can also use sudo systemctl restart nginx the restart command.

If Nginx notices a syntax error in any of the configuration files, the reload is aborted and the server keeps running based on old config files. That is why reloading is safer than restarting Nginx.

How to correctly implement the X-Content-Type-Options header in IIS

  1. Open IIS Manager and on the left hand tree, left click the site you would like to manage.
  2. Double click the "HTTP Response Headers" icon.
  3. Right click the header list and select "Add"
  4. For the "name" write X-Content-Type-Options and for the value nosniff

How to correctly implement the X-Content-Type-Options header in Lighttpd

Add this to your Lighttpd configuration file, which is usually located at /etc/lighttpd/lighttpd.conf:

setenv.add-response-header  = (
    "X-Content-Type-Options" => "nosniff",
    //other security headers can be entered here

How to test that the X-Content-Type-Options header has been correctly implemented

It's simple and it's free. Use this free HTTP header scanning service to understand if you have correctly implemented the X-Content-Type-Options header on your web server.

The advanced next step in protecting your web application against hackers is to run regular vulnerability scans using a user-friendly web application vulnerability scanning tool, like Cyber Chief.

Start your free trial of Cyber Chief now to see not only how it can help to keep attackers out, but also to see how you can ensure that you ship every release with zero known vulnerabilities. 

Or, if you prefer to have an vulnerability assessment conducted by an application security expert on your web application you can order your vulnerability assessment from here. Each vulnerability assessment report comes with:

  • Results from scanning your application for the presence of OWASP Top 10 + SANS CWE 25 + thousands of other vulnerabilities.
  • A detailed description of the vulnerabilities found.
  • A risk level for each vulnerability, so you know which ones to fix first.
  • Best-practice fixes for each vulnerability, including code snippets where relevant.
  • One-month free access to our Cyber Chief cloud-based application security & vulnerability management tool.
  • Email support from our application security experts.

Which option do you prefer?