X-Content-Type-Options Header
Table of Content
- Syntax
- Directives
- Examples
- Browser Compatibility
- How to modify X-Content-Type-Options header The X-Content-Type-Options header is a security feature that helps prevent attacks based on MIME-type confusion. It allows web servers to declare that web browsers (or other complying user agents) should not change the declared content-type. This can be helpful in preventing content sniffing attacks, where an attacker injects malicious content into a website, and the browser interprets this content differently than the server intended.
Syntax
X-Content-Type-Options: nosniff
Directives
The only directive supported by X-Content-Type-Options is nosniff
. It blocks a request if the request destination is of type "style" and the MIME type is not "text/css", or if the destination is of type "script" and the MIME type is not a JavaScript MIME type.
Examples
Here is an example of how to use the X-Content-Type-Options header in HTTP response:
HTTP/1.1 200 OK
Date: Tue, 15 May 2018 16:13:53 GMT
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Using this header, the above example instructs the browser not to sniff the content type and thereby helps in preventing security vulnerabilities.
Browser Compatibility
Browser | Compatibility |
---|---|
Chrome | Supported |
Firefox | Supported |
Safari | Supported |
Opera | Supported |
Edge | Supported |
How to modify X-Content-Type-Options header
ModHeader is a Google Chrome extension that adds, modifies, and removes HTTP request headers. You can use it to add the X-Content-Type-Options header to your requests as follows:
- First, add the ModHeader extension to your Chrome browser.
- Click on the ModHeader icon in the toolbar, which opens the extension.
- In the Request Headers section, click on the 'add' button.
- Enter 'X-Content-Type-Options' in the 'Name' field and 'nosniff' in the 'Value' field.
- Now, all your subsequent requests will contain this header until you remove it.
Being able to change request headers directly in your browser can be very helpful for testing how your server handles different scenarios.