MIME type verification
The X-Content-Type-Options
header informs browsers not to load scripts and stylesheets unless the server indicates the correct MIME type.
Problem
Solution
All sites must set the X-Content-Type-Options
header with a value of nosniff
, and set appropriate MIME types for the files they serve (i.e., via the Content-Type
header).
nosniff
blocks a request if the request destination:
- is of type
style
and the MIME type is nottext/css
. - is of type
script
and the MIME type is not a valid JavaScript MIME type.
Examples
Prevent browsers from incorrectly detecting non-stylesheets as stylesheets and non-scripts as scripts:
http
X-Content-Type-Options: nosniff