x-content-type-options warns against not serving scripts and
stylesheets with the X-Content-Type-Options: nosniff HTTP response
header.
Sometimes the metadata browsers need in order to know how to interpret
the content of a resource is incorrect, not reliable, or even absent.
So, in order to overcome those problems and provide a better user
experience, regardless of the specified Content-Type HTTP header sent
by servers, browsers use contextual clues and inspect the bytes of the
response (known as MIME sniffing in order to detect
the file format.
For example, if a browser requests a script, but that script is served
with an incorrect media type (e.g. x/x), the browser will still detect
the script and execute it.
While, as previously stated, content sniffing can be beneficial, it can also expose the web site/app to attacks based on MIME-type confusion which can lead to security problems, especially in the case of servers hosting untrusted content.
Fortunately, browsers provide a way to opt-out of MIME sniffing by
using the X-Content-Type-Options: nosniff HTTP response header.
Going back to the previous example, if the X-Content-Type-Options: nosniff
header is sent for the script, if the browser detects that it’s a script
and it wasn’t served with one of the JavaScript media type, it will block it.
Note: Modern browsers only respect the header for scripts and stylesheets, and sending the header for other resources such as images may create problems in older browsers.
The rule checks if only scripts and stylesheets are served with the
X-Content-Type-Options HTTP headers with the value of nosniff.
Resource that is not script or stylesheet is served with the
X-Content-Type-Options HTTP header.
HTTP/... 200 OK
...
Content-Type: image/png
X-Content-Type-Options: nosniff
Script is served with the X-Content-Type-Options HTTP header
with the invalid value of no-sniff.
HTTP/... 200 OK
...
Content-Type: text/javascript; charset=utf-8
X-Content-Type-Options: no-sniff
Script is served with the X-Content-Type-Options HTTP header
with the valid value of nosniff.
HTTP/... 200 OK
...
Content-Type: text/javascript; charset=utf-8
X-Content-Type-Options: nosniff
How to configure Apache
Presuming the script files use the .js or .mjs extension, and
the stylesheets .css, Apache can be configured to serve the with
the X-Content-Type-Options header with the value of nosniff
using the Header directive:
<IfModule mod_headers.c>
<FilesMatch "\.(css|m?js)$">
Header set X-Content-Type-Options "nosniff"
</FilesMatch>
</IfModule>Note that:
-
The above snippet works with Apache
v2.2.0+, but you need to havemod_headersenabled in order for it to take effect. -
If you have access to the main Apache configuration file (usually called
httpd.conf), you should add the logic in, for example, a<Directory>section in that file. This is usually the recommended way as using.htaccessfiles slows down Apache!If you don't have access to the main configuration file (quite common with hosting services), just add the snippets in a
.htaccessfile in the root of the web site/app.