A method used to withdrawal from MIME type sniffing
X-Content-Type-Options headers are markers utilized by a server in order to indicate that MIME types should not be changed and should be followed (in Content-Type headers). This is a method used to withdrawal from MIME type sniffing. In other words, this header communicates MIME types are configured deliberately.
This type of header was introduced first by Microsoft with IE 8. It was introduced as a method for webmasters to block content sniffing easily. This type of sniffing had the potential to transform MIME types that were non-executable into the executable. Ever since, other popular browsers have implemented this, even with less aggressive MIME sniffing algorithms.
Beginning with Firefox 72, withdrawing/ opting out from MIME sniffing was applied to executive documents, assuming Content-Type was provided. This prevented HTML webpages from being rendered. Instead, they were downloaded when served with a MIME type. As a result of this, it is important to ensure both headers are set correctly. Site security expects headers to be set.
X-Content-Type-Options protect the website. These types of vulnerabilities can happen once a website allows visitors to upload content. This happens when a visitor disguises a certain file as something other than what it is. This leaves room for cross-site scripting and website compromise. The security header protects against these attacks by featuring/displaying the MIME sniffing function on Chrome and IE browsers. This ensures the browser is required to use the MIME type.
An example scenario of the security header in action would be:
- A Chrome user makes an asset request to a server (image.jpg).
- The response is sent with X-Content-Type-Options: no sniff. This header prevents the Chrome user from sniffing. In other words, the client can not sniff the asset and attempt to direct the file type as something else other than what the server declared.
- The browser will accept MIME type, as defined by the origin server. It will then display assets to the viewer.
There are a few instances when X-Content-Type-Options can not protect against all sniffing. In these cases, the header can not combat all sniffing vulnerabilities. Chrome and IE versions use this header; however, unsupported browsers will not respond the same. If an unsupported browser accesses an asset, this header will be sent back without effect. Also, if a plugin/ extensions (such as Flash) is used to collect resources, and is unsupported by the security header, protection is not given either.
In order to successfully enable this security header, a few simple steps are needed. For example, depending on the webserver in use, a particular snippet will be added to the configuration file. Nginx and Apache servers will need to add snippets. For example, Nginx users will need to add the snippet and, once completed, save changes and reload. Apache users will also need to add the snippet and, once completed, save changes.
Allowing a web server to utilize the X-Content-Type-Options header is a simple and easy process to keep your website secure. While it is not full-proof against all XSS attacks, it is a great way to take web security to the next level.