X-Content-Type-Options Header Test
Verify if cross-site scripting vulnerability protection is enabled in your site's HTTP response headers.
What Is MIME Sniffing?
MIME sniffing is a process used by web browsers to determine the type of file based on its content, rather than relying on the declared MIME type in the HTTP headers. While this helps display content correctly, it can also introduce security risks, such as cross-site scripting (XSS) attacks.
What is the MIME sniffing standard?
The MIME sniffing standard is a set of rules defined by web browsers to detect the actual file type of resource when the server does not provide a proper Content-Type header. The standard ensures compatibility with improperly configured servers but can be exploited if not properly controlled.
What prevents MIME type sniffing?
To prevent MIME sniffing, you can use the X-Content-Type-Options HTTP header with the value nosniff. This instructs the browser to strictly follow the declared MIME type and not attempt to guess it.
X-Content-Type-Options: nosniff
This is a recommended security practice to prevent malicious files from being misinterpreted as executable scripts.
How do I enable the MIME sniffing security header?
To enable MIME sniffing protection in Apache HTTP server, you can add the following in httpd.conf or .htaccess file.
Header set X-Content-Type-Options "nosniff"
And, to add in Nginx, you can add below in the nginx.conf file.
add_header X-Content-Type-Options nosniff;
More tools for your Website
Make sure your website is in top shape with Domsignal - explore the suite of performance, SEO and security metrics testing tools now!
