X-Content-Type-Options

This header protects against so called browser sniffing. When the browser itself determines the type of the file instead of obeying the defined type in the Content-Type header. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks.

Blocking the browser from guessing the filetype, also known as MIME-sniffing, based on the file content instead of the specified Content-Type. This will stop the browser from accidently execute a disguised malicious file but it only applies to files where the expected types is style or script.

This header has only one directive to add:

X-Content-Type-Options: nosniff

When it’s applied the browser will honor the Content-Type header specified for the file and block the request instead of executing it.

Although the header doesn’t have any drawbacks, only about 16% is using it*. Test to see if you have it on your site:

Adding it can look like this:

<add name="X-Content-Type-Options" value="nosniff"/>

Read more about: How to add headers to your .net site

Next up in the Security Headers series: Strict-Transport-Security

Cecilia Wirén

Cecilia Wirén

Strict-Transport-Security

X-Content-Type-Options

How to add HTTP response headers to regular asp.net and asp.net core

Strict-Transport-Security