A content sniffing attack typically involve tricking a browser into executing a script that is disguised as another file type. These attacks can be protected against with correctly configured response headers.

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate the MIME types advertised in the Content-Type headers should not be changed and be followed … This header was introduced by Microsoft in IE 8 as a way for webmasters to block content sniffing that was happening and could transform non-executable MIME types into executable MIME types.

Mozilla, “X-Content-Type-Options”

Use content sniffing protection

Turn off browser content sniffing to protect against content sniffing exploits. When processing a response, browsers sometimes ignore the MIME type in the Content-Type header and guess the type based on the contents of the response. This is called content sniffing and is done to improve the user experience when Content-Type headers are inaccurate or missing. However, this behaviour can be exploited. For example, if your site allows users to share images, an attacker might be able to upload a specially crafted image file that contains JavaScript code. A browser performing content sniffing might then be tricked into executing the malicious file. To reduce content sniffing attacks, set the X-Content-Type-Options response header to nosniff. This tells browsers to avoid guessing response types and to rely only on the Content-Type header.

Set MIME types

All responses should accurately specify their MIME type so that browsers don’t have to rely on content sniffing. When the X-Content-Type-Options: nosniff response header is used to disable content sniffing, browsers rely on the Content-Type header to determine the type of each response. To avoid issues, set the Content-Type header of all responses to an accurate MIME type.

More articles in this series

➜  This article is from our comprehensive Web Security Best Practices guide.

➜  Next article in this series: Response headers

➜  Previous article in this series: HSTS