This header has only one value. It instructs a browser to adhere to the MIME types given in the Content-Type headers and instructs browsers that these instructions should never be changed or not followed.
For example, when this header is set correctly if the server says the content
is text/html
, the browser will only render it as
text/html
.
However, if a browser requests a script, but that script is served with an incorrect media type (e.g. x/x), the browser will still detect the script and execute it. Naturally, this could be a problem if used by attackers on your web application.
This header helps to counter the following attacks:
-
MIME Confusion Attack where attacks via user-generated content sites by
users who are allowed to upload malicious code. In such attacks, these
uploads can then be executed by browsers by interpreting the files using
alternate content types, e.g. implicit application/javascript versus the
explicit
text/plain
. - Unauthorized Hotlinking which can also be enabled by Content-Type sniffing. This type of attack quickly adds up to a big toll on performance, slowing down your application and also allowing the attacker to divert your user elsewhere.
How to correctly implement the X-Content-Type-Options header in Apache
The correct syntax for this header in Apache is in the
<VirtualHost *:443>
block of your
httpd.conf
or equivalent file:
Header always set X-Content-Type-Options "nosniff"
Restart your Apache server to ensure these configurations are implemented by client browsers. You can use either the sudo systemctl restart apache2
or sudo service apache2 restart
command to restart your Apache server, depending on your OS version.
How to correctly implement the X-Content-Type-Options header in nginx
The correct syntax for this header in Nginx is in the server block of your
nginx.conf
or equivalent file:
add_header X-Content-Type-Options "nosniff" always;
A graceful restart of your nginx webserver with the sudo systemctl reload nginx
command to ensure that these changes take effect. Alternatively, you can also use sudo systemctl restart nginx
the restart command.
If Nginx notices a syntax error in any of the configuration files, the reload is aborted and the server keeps running based on old config files. That is why reloading is safer than restarting Nginx.
How to correctly implement the X-Content-Type-Options header in IIS
- Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Double click the "HTTP Response Headers" icon.
- Right click the header list and select "Add"
-
For the "name" write
X-Content-Type-Options
and for the valuenosniff
How to correctly implement the X-Content-Type-Options header in Lighttpd
Add this to your Lighttpd configuration file, which is usually located at /etc/lighttpd/lighttpd.conf
:
setenv.add-response-header = ( "X-Content-Type-Options" => "nosniff", //other security headers can be entered here )
How to test that the X-Content-Type-Options header has been correctly implemented
It's simple and it's free. Use this free HTTP header scanning service to understand if you have correctly implemented the X-Content-Type-Options header on your web server.
The advanced next step in protecting your web application against hackers is to run regular vulnerability scans using an easy-to-use web application vulnerability scanning tool, like Cyber Chief.
Get your free trial of Cyber Chief now to see how it can help you grow your profits and keep attackers out.