【Notice】 We are pleased to announce that our "Good Faith Squatting Strategy (Phishing Takeover)" has been featured in 24 media outlets, including NIKKEI COMPASS, CNET Japan, ZDNET JAPAN, Sankei Shimbun, Toyo Keizai Online, and NewsPicks. Learn More

Website Vulnerability: Absence of the X-Content-Type-Options Header

Website Vulnerability: Absence of the X-Content-Type-Options Header

July 28, 2023

Discover the importance of the X-Content-Type-Options header for web security. Learn how to prevent MIME sniffing attacks and unintended file downloads with proper configuration for Nginx and Apache servers.

Source: Dashboard of HTTP Response Header Vulnerabilities on Official Websites of Listed Companies in Japan

Issues Arising from the Absence of the X-Content-Type-Options Header

When the X-Content-Type-Options header is not set, the following vulnerabilities may arise:

1. MIME Sniffing Attacks

MIME sniffing occurs when browsers attempt to guess the actual format of a file rather than relying on the MIME type specified in the Content-Type header. Attackers can exploit this behavior by supplying maliciously formatted data, leading browsers to misinterpret the content and potentially execute harmful code.

By configuring the X-Content-Type-Options header, browsers can be instructed to trust the declared MIME type, effectively mitigating the risk of MIME sniffing attacks.

2. Unintended File Downloads

Browsers rely on the Content-Type header to determine how to handle files. If the Content-Type is improperly set, unintended downloads can occur. For example, an HTML file without a correctly specified Content-Type might be treated as plain text, causing the browser to download the file instead of displaying it, along with its HTML tags or embedded scripts.

Proper configuration of the X-Content-Type-Options header ensures that browsers process and display content as intended, preventing such unintended behaviors.

Recommended Configuration:
The following configuration disables MIME sniffing by instructing browsers to trust the specified MIME type:

X-Content-Type-Options: nosniff

How to Configure the X-Content-Type-Options Header

The method for setting the X-Content-Type-Options header varies depending on the web server being used. Below are examples for common web servers:

Nginx

To configure the X-Content-Type-Options header in Nginx, add the following line to your nginx.conf file or server block configuration:

server {
    ...
    add_header X-Content-Type-Options "nosniff";
    ...
}

Apache

In Apache, the X-Content-Type-Options header can be configured by adding the following line to the .htaccess file:

Header always set X-Content-Type-Options "nosniff"