Security headers are a subset of HTTP response header that can be set by a web server that each apply a security control in browsers. HTTP headers are a form of metadata sent with web requests and responses. The security header “X-Content-Type-Options” prevents browsers from performing MIME sniffing.
Note: HTTP headers aren’t exclusive to HTTP and are also used in HTTPS.
What is MIME sniffing?
When any data is sent over the web, one of the pieces of metadata included is a MIME type. Multipurpose Internet Mail Extensions, or MIME types are a standard used to define the type of data a file contains, which indicates how the file should be handled. Typically, the MIME-type consists of a type and subtype with an optional parameter and value. For example, a UTF-8 text file would have the MIME type “text/plain;charset=UTF-8”. In that example, the type is “text”, the subtype is “plain”, the parameter is “charset”, and the value is “UTF-8”.
To prevent the mislabeling and mishandling of files, web servers typically perform MIME sniffing. This is a process where the explicitly stated MIME-type is ignored, and instead, the start of the file is analyzed. Most filetypes include header sequences that indicate what type of file it is. Most of the time, MIME types are correct, and sniffing the file makes no difference. If there’s a difference though, webservers will use the sniffed filetype to determine how to handle the file rather than the declared MIME type.
The problem occurs if an attacker manages to upload a file such as a PNG image, but the file is really something else like JavaScript code. For similar filetypes, such as two text types this may not cause too much of an issue. It becomes a serious issue, however, if a perfectly innocuous file can then be executed instead.
What does X-Content-Type-Options do?
The X-Content-Type-Options header only has one possible value “X-Content-Type-Options: nosniff”. Enabling it informs the user’s browser that it must not perform MIME type sniffing and instead rely on the explicitly declared value. Without this setting, if a malicious JavaScript file was disguised as an image such as a PNG, then the JavaScript file would be executed. With X-Content-Type-Options enabled the file will be treated as an image that fails to load as the file isn’t a valid image format.
X-Content-Type-Options isn’t particularly necessary on a website that uses entirely first-party resources, as there’s no chance of a malicious file being accidentally served. If a website uses third-party content such as external, or user-submitted resources, then X-Content-Type-Options provides protection against this type of attack.
Did this help? Let us know!