This post is also available in:
Français (French)
The HTTP X-Content-Type-Options: nosniff header instructs browsers to strictly adhere to the MIME type declared by the server, thus neutralizing attacks where malicious content could be interpreted as a script or stylesheet.
What is X-Content-Type-Options?
Specified in the MDN documentation, this header disables browser “MIME type sniffing”. Only the nosniff value is defined, ensuring that responses are processed according to the declared Content-Type.
Why Implement X-Content-Type-Options?
- Prevention of drive-by download attacks, where malicious code is served under the guise of legitimate files.
- Reduction of XSS risks related to misinterpretation of scripts or styles.
- Ensuring content integrity and consistent user experience across all browsers.
Header Syntax
X-Content-Type-Options: nosniff
Deployment Examples
Nginx
add_header X-Content-Type-Options "nosniff" always;
Apache (.Htaccess)
<IfModule mod_headers.c> Header set X-Content-Type-Options "nosniff" </IfModule>
WordPress (Functions.Php)
add_action('send_headers', function(){
header('X-Content-Type-Options: nosniff');
});
Lighttpd
setenv.add-response-header = ( "X-Content-Type-Options" => "nosniff" )
Our X-Content-Type-Options Implementation Services
At Dimension Internet, we perform:
- auditing your HTTP headers and MIME types,
- configuring and deploying the nosniff header,
- testing and validation in a pre-production environment,
- continuous monitoring to ensure consistent and secure application.
Conclusion
The X-Content-Type-Options: nosniff header is an essential safeguard against MIME sniffing attacks and strengthens your site’s overall security. Dimension Internet supports you from initial analysis to operational monitoring for effective and seamless deployment.
