- Home
- / Web Best Practices
- / Web Security Best Practices
- / Content sniffing
By Sean Wilson
A content sniffing attack typically involve tricking a browser into executing a script that is disguised as another file type. These attacks can be protected against with correctly configured response headers.
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate the MIME types advertised in the Content-Type headers should not be changed and be followed … This header was introduced by Microsoft in IE 8 as a way for webmasters to block content sniffing that was happening and could transform non-executable MIME types into executable MIME types.
Want to know when we write new articles? 😄 Get news and updates about web best practices from us via
Use content sniffing protection
Turn off browser content sniffing to protect against content sniffing exploits. When processing a response, browsers sometimes ignore the MIME type in the Content-Type header and guess the type based on the contents of the response. This is called content sniffing and is done to improve the user experience when Content-Type headers are inaccurate or missing. However, this behaviour can be exploited. For example, if your site allows users to share images, an attacker might be able to upload a specially crafted image file that contains JavaScript code. A browser performing content sniffing might then be tricked into executing the malicious file. To reduce content sniffing attacks, set the X-Content-Type-Options response header to nosniff. This tells browsers to avoid guessing response types and to rely only on the Content-Type header.
Learn more
- Reducing MIME type security risks
msdn.microsoft.com
- OWASP Secure Headers Project
www.owasp.org
- Content sniffing
en.wikipedia.org
- X-Content-Type-Options
developer.mozilla.org
Set MIME types
All responses should accurately specify their MIME type so that browsers don’t have to rely on content sniffing. When the X-Content-Type-Options: nosniff response header is used to disable content sniffing, browsers rely on the Content-Type header to determine the type of each response. To avoid issues, set the Content-Type header of all responses to an accurate MIME type.
Learn more
- X-Content-Type-Options
developer.mozilla.org
- Properly Configuring Server MIME Types
developer.mozilla.org
- Content sniffing
en.wikipedia.org
- Types (Section 7.2.1)
www.w3.org
- Mitigating MIME Confusion Attacks in Firefox
blog.mozilla.org
More articles in this series
➜ This article is from our comprehensive Web Security Best Practices guide.
➜ Next article in this series: Response headers
➜ Previous article in this series: HSTS
Want to know when we write new articles? 😄 Get news and updates about web best practices from us viaTwitter,Facebook orour newsletter.
