What is X-Content-Type-Options nosniff

Question

I am doing some penetration testing on my localhost with OWASP ZAP  and it keeps reporting this message      The Anti-MIME-Sniffing header X-Content-Type-Options was not set to    nosniff       This check is specific to Internet Explorer 8 and Google Chrome    Ensure each page sets a Content-Type header and the   X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown   I have no idea what this means  and I couldn t find anything online  I have tried adding    lt meta content  text html  charset UTF-8  X-Content-Type-Options nosniff  http-equiv  Content-Type    gt    but the I still get the alert   What is the correct way of setting the parameter

User · Answer

Prevent content sniffing where no mimetype is sent

Configuration on Ubuntu 20.04 - apache 2.4.41:

Enable the headers module $ sudo a2enmod headers

Edit file /etc/apache2/conf-available/security.conf and add:

Header always set X-Content-Type-Options: nosniff

Restart Apache $ sudo systemctl restart apache2

$ culr -I localhost

HTTP/1.1 200 OK
Date: Fri, 23 Oct 2020 06:12:16 GMT
Server:  
X-Content-Type-Options: nosniff
Last-Modified: Thu, 22 Oct 2020 08:06:06 GMT

User · Answer

A really simple explanation that I found useful  the nosniff response header is a way to keep a website more secure  From Security Researcher  Scott Helme  here   It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server

User · Answer

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed  This allows to opt-out of MIME type sniffing  or  in other words  it is a way to say that the webmasters knew what they were doing   Syntax     X-Content-Type-Options  nosniff  Directives     nosniff Blocks a request if the requested type is    1   style  and the MIME type is not  text css   or    2   script  and the MIME type is not a JavaScript MIME type   Note  nosniff only applies to  script  and  style  types  Also applying nosniff to images turned out to be incompatible with existing web sites   Specification     https   fetch spec whatwg org  x-content-type-options-header

User · Answer

prevent mime based attacks Header set X-Content-Type-Options  nosniff    This header prevents  mime  based attacks  This header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type as the header instructs the browser not to override the response content type  With the nosniff option  if the server says the content is text html  the browser will render it as text html   http   stopmalvertising com security securing-your-website-with- htaccess  htaccess-http-headers html

User · Answer

Just to elaborate a bit on the meta-tag thing  I ve heard a talk  where a statement was made  one should always insert the  quot no-sniff quot  meta tag in the html to prevent browser sniffing  just like OP did    lt meta content  quot text html  charset UTF-8  X-Content-Type-Options nosniff quot  http-equiv  quot Content-Type quot    gt   However  this is not a valid method for w3c compliant websites  the validator will raise an error  Bad value text html  charset UTF-8  X-Content-Type-Options nosniff for attribute content on element meta  The legacy encoding contained    which is not a valid character in an encoding name   And there is no fixing this  To rightly turn off no-sniff  one has to go to the server settings and turn it off there  Because the  quot no-sniff quot  option is something from the HTTP header  not from the HTML file which is attached at the HTTP response  To check if the no-sniff option is disabled  one can enable the developer console  networks tab and then inspect the HTTP response header

User · Answer

For Microsoft IIS servers  you can enable this header via your web config file    lt system webServer gt       lt httpProtocol gt         lt customHeaders gt           lt remove name  X-Content-Type-Options   gt           lt add name  X-Content-Type-Options  value  nosniff   gt         lt  customHeaders gt       lt  httpProtocol gt   lt  system webServer gt    And you are done

User · Answer

It prevents the browser from doing MIME-type sniffing  Most browsers are now respecting this header  including Chrome Chromium  Edge  IE    8 0  Firefox    50 and Opera    13  See    https   blogs msdn com b ie archive 2008 09 02 ie8-security-part-vi-beta-2-update aspx Redirected true     Sending the new X-Content-Type-Options response header with the value   nosniff will prevent Internet Explorer from MIME-sniffing a response   away from the declared content-type    EDIT   Oh and  that s an HTTP header  not a HTML meta tag option   See also   http   msdn microsoft com en-us library ie gg622941 v vs 85  aspx

User · Answer

Description Setting a server s X-Content-Type-Options HTTP response header to nosniff instructs browsers to disable content or MIME sniffing which is used to override response Content-Type headers to guess and process the data using an implicit content type  While this can be convenient in some scenarios  it can also lead to some attacks listed below  Configuring your server to return the X-Content-Type-Options HTTP response header set to nosniff will instruct browsers that support MIME sniffing to use the server-provided Content-Type and not interpret the content as a different content type  Browser Support The X-Content-Type-Options HTTP response header is supported in Chrome  Firefox and Edge as well as other browsers  The latest browser support is available on the Mozilla Developer Network  MDN  Browser Compatibility Table for X-Content-Type-Options  https   developer mozilla org en-US docs Web HTTP Headers X-Content-Type-Options Attacks Countered  MIME Confusion Attack enables attacks via user generated content sites by allowing users uploading malicious code that is then executed by browsers which will interpret the files using alternate content types  e g  implicit application javascript vs  explicit text plain  This can result in a  quot drive-by download quot  attack which is a common attack vector for phishing  Sites that host user generated content should use this header to protect their users  This is mentioned by VeraCode and OWASP which says the following   This reduces exposure to drive-by download attacks and sites serving user uploaded content that  by clever naming  could be treated by MSIE as executable or dynamic HTML files    Unauthorized Hotlinking can also be enabled by Content-Type sniffing  By hotlinking to sites with resources for one purpose  e g  viewing  apps can rely on content-type sniffing and generate a lot of traffic on sites for another purpose where it may be against their terms of service  e g  GitHub displays JavaScript code for viewing  but not for execution   Some pesky non-human users  namely computers  have taken to  quot hotlinking quot  assets via the raw view feature -- using the raw URL as the src for a  lt script gt  or  lt img gt  tag  The problem is that these are not static assets  The raw file view  like any other view in a Rails app  must be rendered before being returned to the user  This quickly adds up to a big toll on performance  In the past we ve been forced to block popular content served this way because it put excessive strain on our servers

[html] What is "X-Content-Type-Options=nosniff"?

Prevent content sniffing where no mimetype is sent

Examples related to html

Examples related to http-headers

Examples related to meta

Examples related to owasp

Examples related to penetration-testing