Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I add “X-Content-Type-Options: nosniff” to all the response headers

I am running an ASP.NET MVC 3 website on IIS. Is there a flag in web.config or something similar that can do this?

like image 389
AbbasFaisal Avatar asked Jun 10 '14 10:06

AbbasFaisal


People also ask

What is X Content-Type options Nosniff header?

A Chrome client makes a request to a web server for an asset (e.g. image. jpg). A response is sent back with the header X-Content-Type-Options: nosniff . This prevents the client from "sniffing" the asset to try and determine if the file type is something other than what is declared by the server.

How do I find X content options in Chrome?

To check the X-Content-Type-Options in action go to Inspect Element -> Network check the request header for x-content-type-options like below.

Should I set X-Content-Type-options for nosniff request blocking?

Make sure to set both headers correctly. Site security testers usually expect this header to be set. Note: X-Content-Type-Options only apply request-blocking due to nosniff for request destinations of " script " and " style ".

How do I add a nosniff response header?

Click on 'add' on left side corner and add the name and value as below. The nosniff response header is a way to keep a website more secure. Security researcher Scott Helme describes it like this: “It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.

What happened to the X-Content-Type-Options header?

There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly.

How do I set X-Content-Type-options in IIS?

Setting X-Content-Type-Options At The Server Level 1 Open IIS Manager and on the left hand tree, left click the site you would like to manage. 2 Double click the “HTTP Response Headers” icon. 3 Right click the header list and select “Add” 4 For the “name” write “X-Content-Type-Options” and for the value “nosniff”


2 Answers

As long as you're using IIS 7 or above, it's as simple as adding it to your web.config.

<configuration>
   <system.webServer>
      <httpProtocol>
         <customHeaders>
            <add name="X-Content-Type-Options" value="nosniff" />
         </customHeaders>
      </httpProtocol>
   </system.webServer>
</configuration>

Or you can add them using the IIS Management GUI, or even command line. Take a look at http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders

like image 107
Steven V Avatar answered Oct 22 '22 06:10

Steven V


This question originates from MVC 3, but as this problem is still relevant in ASP.NET Core, I'll let myself propose a solution for the recent versions:

 public static IApplicationBuilder UseNoSniffHeaders(this IApplicationBuilder builder)
 {
     return builder.Use(async (context, next) =>
     {
         context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
         await next();
     });
 }

Then simply add this in Startup.cs:

app.UseNoSniffHeaders();

The beauty of this approach is that it makes it independent from your web server and deployment process. At the same time you may need to extend this solution if you want it to apply to static files as well.

like image 1
mikus Avatar answered Oct 22 '22 05:10

mikus