X-Content-Type-Options

This HTTP Response header tells the web browser that it should obey the Content-Type headers. Without this, browsers may use MIME type sniffing to guess at the Content-Type. They may do this when the Content-Type header is missing or when it is thought to be incorrect. This is one of those important security headers that servers should set in order to to protect their users.

Without this header, some browsers may look at the file extension or contents of a file to determine if the document is an image, html, javascript or some other content. Some resources, like javascript, are executable. If a website allows users to upload content, or if it links to 3rd party content, then a certain type of vulnerability becomes possible. For example, a user could upload a javascript file disguised as an image. When that image is loaded, the browser may sniff the Content-Type and realize that it is a javascript file, and not an image. It may then run the javascript code, which could execute a cross-site scripting attack to steal information from other users of the website.

To set this header, use one of the following two lines, depending on your server software. It is also important to set the Content-Type header to appropriate values for each file that the server sends to a client.

Apache: Header always set X-Content-Type-Options "nosniff" Nginx: add_header X-Content-Type-Options "nosniff" always;

The only valid value for this header is nosniff, so copy and paste one of the above lines into your config file to enable this security feature.