Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is "X-Content-Type-Options=nosniff"?

Tags:

http-headers

html

meta

owasp

penetration-testing

I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message:

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

I have no idea what this means, and I couldn't find anything online. I have tried adding:

<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />

but the I still get the alert.

What is the correct way of setting the parameter?

like image 266
Koffeehaus Avatar asked Aug 20 '13 14:08

Koffeehaus

People also ask

How do I turn off X content options Nosniff?

Hover over Settings, then click on HTTP Headers to access the plugin's options page. To utilize the "X-Content-Type-Options: nosniff" header, enable the checkbox next to Disable Content Sniffing. Finally, scroll down to the bottom of the options page and click on the Save Changes button.

What is content type options?

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.

How do you test X-content-type-options?

To check the X-Content-Type-Options in action go to Inspect Element -> Network check the request header for x-content-type-options like below.

What is content type sniffing?

Content sniffing, also known as media type sniffing or MIME sniffing, is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it.

1 Answers

It prevents the browser from doing MIME-type sniffing. Most browsers are now respecting this header, including Chrome/Chromium, Edge, IE >= 8.0, Firefox >= 50 and Opera >= 13. See :

https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx?Redirected=true

Sending the new X-Content-Type-Options response header with the value nosniff will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type.

EDIT:

Oh and, that's an HTTP header, not a HTML meta tag option.

See also : http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx

like image 63
Remi Gacogne Avatar answered Sep 17 '22 19:09

Remi Gacogne
Sign in to Comment

Related questions

How to specify line breaks in a multi-line flexbox layout?
Fill the remaining height or width in a flex container
Force browser to clear cache
Put icon inside input element in a form
What is the standard naming convention for html/css ids and classes? [closed]
How to get the selected radio button’s value?
How do you get the footer to stay at the bottom of a Web page?
Resize image in the wiki of GitHub using Markdown
In jQuery, how do I select an element by its name attribute?
What replaces cellpadding, cellspacing, valign, and align in HTML5 tables?
How can I style even and odd elements?
Hiding elements in responsive layout?
How to prevent text in a table cell from wrapping
How to set HTTP header to UTF-8 using PHP which is valid in W3C validator
Should ol/ul be inside <p> or outside?
maxlength ignored for input type="number" in Chrome
Why is textarea filled with mysterious white spaces?
How to use dashes in HTML-5 data-* attributes in ASP.NET MVC
Div width 100% minus fixed amount of pixels
How to remove the default arrow icon from a dropdown list (select element)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!