HTTP Headers
X Content Type Options
The HTTP X-Content-Type-Options
response header signals that the MIME types specified in the Content-Type
headers should be strictly followed and not altered.
By setting this header, developers can prevent MIME type sniffing, ensuring browsers do not override the declared content types, thus enhancing security.
Security testers often verify that this header is properly configured to ensure robust site security.
Note:
The X-Content-Type-Options
response header applies primarily to request-blocking due to nosniff
for request destinations of "script"
and "style"
.
Additionally, it enables Cross-Origin Read Blocking (CORB) protection for HTML, plain text, JSON, and XML files (excluding SVG images with content type image/svg+xml
).
Header type | Response header |
---|---|
Forbidden request header | No |
Syntax
X-Content-Type-Options: nosniff
Directives
Directives
The nosniff directive helps enhance security by preventing browsers from MIME-sniffing a response away from the declared content-type. When this directive is active, if a request targets a resource of type style
but the MIME type isn’t text/css
, or if the type is script
but the MIME type isn’t an official JavaScript MIME type, the request will be blocked. This measure helps prevent attacks that rely on MIME-type confusion, promoting safer handling of resources by ensuring they are interpreted correctly according to their specified types.
How to Modify Header using Requestly
Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the X-Content-Type-Options header. This can help you test how browsers handle MIME type sniffing and security policies by changing this header during development or debugging. Steps to Modify the X-Content-Type-Options Header:
- Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
- Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
- Add a new header modification:
- Under “Action”, select “Add” or “Override”.
- In the “Header Name” field, enter X-Content-Type-Options.
- In the “Header Value” field, enter your desired value (e.g., nosniff).
- Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-api.com/*).
- Save the rule.
Once set up, Requestly will inject the specified X-Content-Type-Options header into all matching requests, helping you test how your application behaves with different security settings. Modifying the X-Content-Type-Options header is useful because it controls how browsers handle MIME types and prevents attacks like MIME sniffing. Testing changes to this header helps ensure your site delivers content securely and correctly.
Table of Contents
- No headings found.