Security headers are a subset of HTTP response header that can be set by a web server that each apply a security control in browsers. HTTP headers are a form of metadata sent with web requests and responses. The security header “X-Content-Type-Options” prevents browsers from performing MIME sniffing.
Note: HTTP headers aren’t exclusive to HTTP and are also used in HTTPS.
What is MIME sniffing?
When any data is sent over the web, one of the pieces of metadata included is a MIME type. Multipurpose Internet Mail Extensions, or MIME types are a standard used to define the type of data a file contains, which indicates how the file should be handled. Typically, the MIME-type consists of a type and subtype with an optional parameter and value. For example, a UTF-8 text file would have the MIME type “text/plain;charset=UTF-8”. In that example, the type is “text”, the subtype is “plain”, the parameter is “charset”, and the value is “UTF-8”.
To prevent the mislabeling and mishandling of files, web servers typically perform MIME sniffing. This is a process where the explicitly stated MIME-type is ignored, and instead, the start of the file is analyzed. Most filetypes include header sequences that indicate what type of file it is. Most of the time, MIME types are correct, and sniffing the file makes no difference. If there’s a difference though, webservers will use the sniffed filetype to determine how to handle the file rather than the declared MIME type.
What does X-Content-Type-Options do?
X-Content-Type-Options isn’t particularly necessary on a website that uses entirely first-party resources, as there’s no chance of a malicious file being accidentally served. If a website uses third-party content such as external, or user-submitted resources, then X-Content-Type-Options provides protection against this type of attack.