Lagos, Nigeria

What Does X-Content-Type-Options Do? – Technipages

Security headers are a subset of HTTP response header that can be set by a web server that each apply a security control in browsers. HTTP headers are a form of metadata sent with web requests and responses. The security header “X-Content-Type-Options” prevents browsers from performing MIME sniffing.

Note: HTTP headers aren’t exclusive to HTTP and are also used in HTTPS.

What is MIME sniffing?

When any data is sent over the web, one of the pieces of metadata included is a MIME type. Multipurpose Internet Mail Extensions, or MIME types are a standard used to define the type of data a file contains, which indicates how the file should be handled. Typically, the MIME-type consists of a type and subtype with an optional parameter and value. For example, a UTF-8 text file would have the MIME type “text/plain;charset=UTF-8”. In that example, the type is “text”, the subtype is “plain”, the parameter is “charset”, and the value is “UTF-8”.

To prevent the mislabeling and mishandling of files, web servers typically perform MIME sniffing. This is a process where the explicitly stated MIME-type is ignored, and instead, the start of the file is analyzed. Most filetypes include header sequences that indicate what type of file it is. Most of the time, MIME types are correct, and sniffing the file makes no difference. If there’s a difference though, webservers will use the sniffed filetype to determine how to handle the file rather than the declared MIME type.

The problem occurs if an attacker manages to upload a file such as a PNG image, but the file is really something else like JavaScript code. For similar filetypes, such as two text types this may not cause too much of an issue. It becomes a serious issue, however, if a perfectly innocuous file can then be executed instead.

What does X-Content-Type-Options do?                                                

The X-Content-Type-Options header only has one possible value “X-Content-Type-Options: nosniff”. Enabling it informs the user’s browser that it must not perform MIME type sniffing and instead rely on the explicitly declared value. Without this setting, if a malicious JavaScript file was disguised as an image such as a PNG, then the JavaScript file would be executed. With X-Content-Type-Options enabled the file will be treated as an image that fails to load as the file isn’t a valid image format.

X-Content-Type-Options isn’t particularly necessary on a website that uses entirely first-party resources, as there’s no chance of a malicious file being accidentally served. If a website uses third-party content such as external, or user-submitted resources, then X-Content-Type-Options provides protection against this type of attack.

This post was written by Mel Hawthorne and was first posted to Technipages

Do you find this article helpful? Your Friend might too. So, please Share it with them using the Share button above.
Will you like to get notified when I post new updates? Then Follow me on any of my social media handles: Google News, Telegram, WhatsApp, Twitter, Facebook, Pinterest.
You can also drop your email address below if you wish to be notified by mail.

Tags: , ,

%d bloggers like this: