Menu
I am running an ASP.NET MVC 3 website on IIS. Is there a flag in web.config or something similar that can do this?
389
A Chrome client makes a request to a web server for an asset (e.g. image. jpg). A response is sent back with the header X-Content-Type-Options: nosniff . This prevents the client from "sniffing" the asset to try and determine if the file type is something other than what is declared by the server.
To check the X-Content-Type-Options in action go to Inspect Element -> Network check the request header for x-content-type-options like below.
Make sure to set both headers correctly. Site security testers usually expect this header to be set. Note: X-Content-Type-Options only apply request-blocking due to nosniff for request destinations of " script " and " style ".
Click on 'add' on left side corner and add the name and value as below. The nosniff response header is a way to keep a website more secure. Security researcher Scott Helme describes it like this: “It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.
There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly.
Setting X-Content-Type-Options At The Server Level 1 Open IIS Manager and on the left hand tree, left click the site you would like to manage. 2 Double click the “HTTP Response Headers” icon. 3 Right click the header list and select “Add” 4 For the “name” write “X-Content-Type-Options” and for the value “nosniff”
As long as you're using IIS 7 or above, it's as simple as adding it to your web.config.
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Or you can add them using the IIS Management GUI, or even command line. Take a look at http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
107
This question originates from MVC 3, but as this problem is still relevant in ASP.NET Core, I'll let myself propose a solution for the recent versions:
public static IApplicationBuilder UseNoSniffHeaders(this IApplicationBuilder builder)
{
return builder.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
await next();
});
}
Then simply add this in Startup.cs:
app.UseNoSniffHeaders();
The beauty of this approach is that it makes it independent from your web server and deployment process. At the same time you may need to extend this solution if you want it to apply to static files as well.
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
