SyntaxFix

[html] What is "X-Content-Type-Options=nosniff"?

I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message:

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

I have no idea what this means, and I couldn't find anything online. I have tried adding:

<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />

but the I still get the alert.

What is the correct way of setting the parameter?

This question is related to html http-headers meta owasp penetration-testing

The answer is

Prevent content sniffing where no mimetype is sent

Configuration on Ubuntu 20.04 - apache 2.4.41:

Enable the headers module $ sudo a2enmod headers

Edit file /etc/apache2/conf-available/security.conf and add:

Header always set X-Content-Type-Options: nosniff

Restart Apache $ sudo systemctl restart apache2

$ culr -I localhost

HTTP/1.1 200 OK
Date: Fri, 23 Oct 2020 06:12:16 GMT
Server:  
X-Content-Type-Options: nosniff
Last-Modified: Thu, 22 Oct 2020 08:06:06 GMT

Just to elaborate a bit on the meta-tag thing. I've heard a talk, where a statement was made, one should always insert the "no-sniff" meta tag in the html to prevent browser sniffing (just like OP did):

<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />

However, this is not a valid method for w3c compliant websites, the validator will raise an error:

Bad value text/html; charset=UTF-8; X-Content-Type-Options=nosniff for attribute content on element meta: The legacy encoding contained ;, which is not a valid character in an encoding name.

And there is no fixing this. To rightly turn off no-sniff, one has to go to the server settings and turn it off there. Because the "no-sniff" option is something from the HTTP header, not from the HTML file which is attached at the HTTP response.

To check if the no-sniff option is disabled, one can enable the developer console, networks tab and then inspect the HTTP response header:

Visualization of enabled no-sniff option

For Microsoft IIS servers, you can enable this header via your web.config file:

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Content-Type-Options"/>
        <add name="X-Content-Type-Options" value="nosniff"/>
      </customHeaders>
    </httpProtocol>
</system.webServer>

And you are done.

Description

Setting a server's X-Content-Type-Options HTTP response header to nosniff instructs browsers to disable content or MIME sniffing which is used to override response Content-Type headers to guess and process the data using an implicit content type. While this can be convenient in some scenarios, it can also lead to some attacks listed below. Configuring your server to return the X-Content-Type-Options HTTP response header set to nosniff will instruct browsers that support MIME sniffing to use the server-provided Content-Type and not interpret the content as a different content type.

Browser Support

The X-Content-Type-Options HTTP response header is supported in Chrome, Firefox and Edge as well as other browsers. The latest browser support is available on the Mozilla Developer Network (MDN) Browser Compatibility Table for X-Content-Type-Options:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Attacks Countered

  1. MIME Confusion Attack enables attacks via user generated content sites by allowing users uploading malicious code that is then executed by browsers which will interpret the files using alternate content types, e.g. implicit application/javascript vs. explicit text/plain. This can result in a "drive-by download" attack which is a common attack vector for phishing. Sites that host user generated content should use this header to protect their users. This is mentioned by VeraCode and OWASP which says the following:

    This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.

  2. Unauthorized Hotlinking can also be enabled by Content-Type sniffing. By hotlinking to sites with resources for one purpose, e.g. viewing, apps can rely on content-type sniffing and generate a lot of traffic on sites for another purpose where it may be against their terms of service, e.g. GitHub displays JavaScript code for viewing, but not for execution:

    Some pesky non-human users (namely computers) have taken to "hotlinking" assets via the raw view feature -- using the raw URL as the src for a <script> or <img> tag. The problem is that these are not static assets. The raw file view, like any other view in a Rails app, must be rendered before being returned to the user. This quickly adds up to a big toll on performance. In the past we've been forced to block popular content served this way because it put excessive strain on our servers.

A really simple explanation that I found useful: the nosniff response header is a way to keep a website more secure.

From Security Researcher, Scott Helme, here:

It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

Syntax :

X-Content-Type-Options: nosniff

Directives :

nosniff Blocks a request if the requested type is 1. "style" and the MIME type is not "text/css", or 2. "script" and the MIME type is not a JavaScript MIME type.

Note: nosniff only applies to "script" and "style" types. Also applying nosniff to images turned out to be incompatible with existing web sites.

Specification :

https://fetch.spec.whatwg.org/#x-content-type-options-header

# prevent mime based attacks
Header set X-Content-Type-Options "nosniff"

This header prevents "mime" based attacks. This header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type as the header instructs the browser not to override the response content type. With the nosniff option, if the server says the content is text/html, the browser will render it as text/html.

http://stopmalvertising.com/security/securing-your-website-with-.htaccess/.htaccess-http-headers.html

Source: Stackoverflow.com

Examples related to html

Embed ruby within URL : Middleman Blog Please help me convert this script to a simple image slider Generating a list of pages (not posts) without the index file Why there is this "clear" class before footer? Is it possible to change the content HTML5 alert messages? Getting all files in directory with ajax DevTools failed to load SourceMap: Could not load content for chrome-extension How to set width of mat-table column in angular? How to open a link in new tab using angular? ERROR Error: Uncaught (in promise), Cannot match any routes. URL Segment

Examples related to http-headers

Set cookies for cross origin requests Adding a HTTP header to the Angular HttpClient doesn't send the header, why? Passing headers with axios POST request What is HTTP "Host" header? CORS error :Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response Using Axios GET with Authorization Header in React-Native App Axios get access to response header fields Custom header to HttpClient request Send multipart/form-data files with angular using $http Best HTTP Authorization header type for JWT

Examples related to meta

What is "X-Content-Type-Options=nosniff"? window.location (JS) vs header() (PHP) for redirection How to use the 'og' (Open Graph) meta tag for Facebook share Auto refresh code in HTML using meta tags Redirect from an HTML page

Examples related to owasp

Why is it common to put CSRF prevention tokens in cookies? What is "X-Content-Type-Options=nosniff"? PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the man pages correctly?

Examples related to penetration-testing

What is "X-Content-Type-Options=nosniff"?

Tags

Sp-send-dbmail Freemarker Syck Togglebuttonbar Xbase Rewritemap Nvidia Uint64 External Bea User32 Storekit Multi-dimensional-scaling Cruisecontrol.net Ixmlserializable Camera Remote-server Wavelet Linear-programming Mashery Resizegrip Linux-toolchain Android-library Multiple-tables Openstack-swift Mpkg Working-set Metaweblog Loaderlock Zip Pascalscript Webtop Android-listview Metatrader4 F5 Cloud Oz Or-designer Libjingle Depth Launch Swf-compiler Using-directives Leakdiag Squashfs Editing Qstatemachine Mod-include Splitpanel Raid Negative-lookahead Wakelock Labels Www-mechanize Llblgen Api-design Wtsapi32 Script-fu Bless Virtual-inheritance Jquery-masonry Microformats Olap4j Dry Alien Errata Performancecounter Slicehost Datahistory Xps Base85 Java.util.date Uiwebview Overload-resolution Initialization-order Build-agent Typeahead Servicepoint Independentsoft Pts Inline-scripting Phpeclipse Zend-decorators Gate Year2038 Stata Dwm Pamie Javascript-debugger Rooted-device Nhprof Execute-immediate Signaturetool Userinfo Ldf Markerclusterer Ckeditor Opentools Enyim Raima