X-Content-Type-Options

De X-Content-Type-Options antwoord HTTP header is een aanduiding die door de server wordt gebruikt om aan te tonen dat de MIME types die in de Content-Type headers zijn geadverteerd, niet gewijzigd moeten worden en moeten worden gevold. Dit zorgt voor de mogelijkheid om niet deel te nemen aan MIME type sniffing, of, met andere woorden, het is een manier waarop de webmasters tonen dat ze weten wat ze deden
 
Deze header is geïntroduceerd door Microsoft in IE8 om webmasters de mogelijkheid te geven om het content sniffing te blokkeren dat toen gebeurde. De header kan niet uitvoerbare MIME types omvormen tot uitvoerbare MIME types. Andere browsers hebben dit later ook geïntroduceerd, ook al zijn hun MIME sniffing algoritmes minder agressief.
 
Site veiligheid testers verwachten dat deze header geset is.
 

Nota: nosniff wordt enkel toegepast op "script" en"style" types. Het toepassen van de nosniff op afbeeldingen bleek niet compatibel te zijn met bestaande websites.

Header type Response header
Forbidden header name nee

Syntax

X-Content-Type-Options: nosniff

Directives

nosniff
Blokkeert een aanvraag van het aangevraagde type als
  • "style" en het MIME type niet "text/css" zijn, of
  • "script" en het MIME type zijn niet een JavaScript MIME type.

Specificaties

Specificatie Status Comment
Fetch
The definition of 'X-Content-Type-Options definition' in that specification.		 Living Standard Initial definition

Browser compatibiliteit

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome voor AndroidFirefox voor AndroidOpera voor AndroidSafari op iOSSamsung Internet
X-Content-Type-Options
Niet standaard
Chrome Volledige ondersteuning 64
Volledige ondersteuning 64
Gedeeltelijke ondersteuning 1
Opmerkingen
Opmerkingen Not supported for stylesheets.
Edge Volledige ondersteuning JaFirefox Volledige ondersteuning 50IE Volledige ondersteuning 8Opera Volledige ondersteuning JaSafari Geen ondersteuning NeeWebView Android Volledige ondersteuning 64
Volledige ondersteuning 64
Gedeeltelijke ondersteuning Gedeeltelijk
Opmerkingen
Opmerkingen Not supported for stylesheets.
Chrome Android Volledige ondersteuning 64
Volledige ondersteuning 64
Gedeeltelijke ondersteuning Gedeeltelijk
Opmerkingen
Opmerkingen Not supported for stylesheets.
Firefox Android Volledige ondersteuning 50Opera Android Volledige ondersteuning JaSafari iOS Geen ondersteuning NeeSamsung Internet Android Volledige ondersteuning 9.0
Volledige ondersteuning 9.0
Gedeeltelijke ondersteuning Gedeeltelijk
Opmerkingen
Opmerkingen Not supported for stylesheets.

Legenda

Volledige ondersteuning  
Volledige ondersteuning
Geen ondersteuning  
Geen ondersteuning
Niet standaard. Slechte ondersteuning verwacht voor meerdere browsers.
Niet standaard. Slechte ondersteuning verwacht voor meerdere browsers.
Zie implementatieopmerkingen
Zie implementatieopmerkingen

Verder lezen

Verwante onderwerpen
  1. HTTP
  2. Guides:
  3. Resources and URIs
    1. Identifying resources on the Web
    2. Data URIs
    3. Introduction to MIME Types
    4. Complete list of MIME Types
    5. Choosing between www and non-www URLs
  4. HTTP guide
    1. Basics of HTTP
    2. Overview of HTTP
    3. Evolution of HTTP
    4. HTTP Messages
    5. A typical HTTP session
    6. Connection management in HTTP/1.x
    7. Protocol upgrade mechanism
  5. HTTP security
    1. Content Security Policy (CSP)
    2. HTTP Public Key Pinning (HPKP)
    3. HTTP Strict Transport Security (HSTS)
    4. Cookie security
    5. X-Content-Type-Options
    6. X-Frame-Options
    7. X-XSS-Protection
    8. Mozilla web security guidelines
    9. Mozilla Observatory
  6. HTTP access control (CORS)
  7. HTTP authentication
  8. HTTP caching
  9. HTTP compression
  10. HTTP conditional requests
  11. HTTP content negotiation
  12. HTTP cookies
  13. HTTP range requests
  14. HTTP redirects
  15. HTTP specifications
  16. Feature policy
  17. References:
  18. HTTP headers
    1. Accept [Translate]
    2. Accept-CH [Translate]
    3. Accept-CH-Lifetime [Translate]
    4. Accept-Charset [Translate]
    5. Accept-Encoding [Translate]
    6. Accept-Language [Translate]
    7. Accept-Patch [Translate]
    8. Accept-Ranges [Translate]
    9. Access-Control-Allow-Credentials [Translate]
    10. Access-Control-Allow-Headers [Translate]
    11. Access-Control-Allow-Methods [Translate]
    12. Access-Control-Allow-Origin [Translate]
    13. Access-Control-Expose-Headers [Translate]
    14. Access-Control-Max-Age [Translate]
    15. Access-Control-Request-Headers [Translate]
    16. Access-Control-Request-Method [Translate]
    17. Age [Translate]
    18. Allow [Translate]
    19. Alt-Svc [Translate]
    20. Authorization [Translate]
    21. Cache-Control [Translate]
    22. Clear-Site-Data [Translate]
    23. Connection [Translate]
    24. Content-Disposition [Translate]
    25. Content-Encoding [Translate]
    26. Content-Language [Translate]
    27. Content-Length [Translate]
    28. Content-Location [Translate]
    29. Content-Range [Translate]
    30. Content-Security-Policy [Translate]
    31. Content-Security-Policy-Report-Only [Translate]
    32. Content-Type [Translate]
    33. Cookie [Translate]
    34. Cookie2 [Translate]
    35. Cross-Origin-Resource-Policy [Translate]
    36. DNT [Translate]
    37. DPR [Translate]
    38. Date [Translate]
    39. Device-Memory [Translate]
    40. Digest [Translate]
    41. ETag [Translate]
    42. Early-Data [Translate]
    43. Expect [Translate]
    44. Expect-CT [Translate]
    45. Expires [Translate]
    46. Feature-Policy [Translate]
    47. Forwarded [Translate]
    48. From [Translate]
    49. Host [Translate]
    50. If-Match [Translate]
    51. If-Modified-Since [Translate]
    52. If-None-Match [Translate]
    53. If-Range [Translate]
    54. If-Unmodified-Since [Translate]
    55. Index [Translate]
    56. Keep-Alive [Translate]
    57. Large-Allocation [Translate]
    58. Last-Modified [Translate]
    59. Link [Translate]
    60. Location
    61. Origin [Translate]
    62. Pragma [Translate]
    63. Proxy-Authenticate [Translate]
    64. Proxy-Authorization [Translate]
    65. Public-Key-Pins [Translate]
    66. Public-Key-Pins-Report-Only [Translate]
    67. Range [Translate]
    68. Referer [Translate]
    69. Referrer-Policy [Translate]
    70. Retry-After [Translate]
    71. Save-Data [Translate]
    72. Sec-WebSocket-Accept [Translate]
    73. Server [Translate]
    74. Server-Timing [Translate]
    75. Set-Cookie [Translate]
    76. Set-Cookie2 [Translate]
    77. SourceMap [Translate]
    78. Strict-Transport-Security [Translate]
    79. TE [Translate]
    80. Timing-Allow-Origin [Translate]
    81. Tk [Translate]
    82. Trailer [Translate]
    83. Transfer-Encoding [Translate]
    84. Upgrade-Insecure-Requests [Translate]
    85. User-Agent [Translate]
    86. Vary [Translate]
    87. Via [Translate]
    88. WWW-Authenticate [Translate]
    89. Want-Digest [Translate]
    90. Warning [Translate]
    91. X-Content-Type-Options
    92. X-DNS-Prefetch-Control [Translate]
    93. X-Forwarded-For [Translate]
    94. X-Forwarded-Host [Translate]
    95. X-Forwarded-Proto [Translate]
    96. X-Frame-Options [Translate]
    97. X-XSS-Protection [Translate]
  19. HTTP request methods
    1. CONNECT [Translate]
    2. DELETE [Translate]
    3. GET [Translate]
    4. HEAD [Translate]
    5. OPTIONS [Translate]
    6. PATCH [Translate]
    7. POST [Translate]
    8. PUT [Translate]
    9. TRACE [Translate]
  20. HTTP response status codes
    1. 100 Continue
    2. 101 Switching Protocols [Translate]
    3. 103 Early Hints [Translate]
    4. 200 OK
    5. 201 Created [Translate]
    6. 202 Accepted [Translate]
    7. 203 Non-Authoritative Information [Translate]
    8. 204 No Content [Translate]
    9. 205 Reset Content [Translate]
    10. 206 Partial Content [Translate]
    11. 300 Multiple Choices [Translate]
    12. 301 Moved Permanently
    13. 302 Found [Translate]
    14. 303 See Other [Translate]
    15. 304 Not Modified [Translate]
    16. 307 Temporary Redirect [Translate]
    17. 308 Permanent Redirect [Translate]
    18. 400 Bad Request [Translate]
    19. 401 Unauthorized [Translate]
    20. 402 Payment Required [Translate]
    21. 403 Forbidden [Translate]
    22. 404 Not Found [Translate]
    23. 405 Method Not Allowed [Translate]
    24. 406 Not Acceptable [Translate]
    25. 407 Proxy Authentication Required [Translate]
    26. 408 Request Timeout [Translate]
    27. 409 Conflict [Translate]
    28. 410 Gone [Translate]
    29. 411 Length Required [Translate]
    30. 412 Precondition Failed [Translate]
    31. 413 Payload Too Large [Translate]
    32. 414 URI Too Long [Translate]
    33. 415 Unsupported Media Type [Translate]
    34. 416 Range Not Satisfiable [Translate]
    35. 417 Expectation Failed [Translate]
    36. 418 I'm a teapot [Translate]
    37. 422 Unprocessable Entity [Translate]
    38. 425 Too Early [Translate]
    39. 426 Upgrade Required [Translate]
    40. 428 Precondition Required [Translate]
    41. 429 Too Many Requests [Translate]
    42. 431 Request Header Fields Too Large [Translate]
    43. 451 Unavailable For Legal Reasons [Translate]
    44. 500 Internal Server Error [Translate]
    45. 501 Not Implemented [Translate]
    46. 502 Bad Gateway [Translate]
    47. 503 Service Unavailable [Translate]
    48. 504 Gateway Timeout [Translate]
    49. 505 HTTP Version Not Supported [Translate]
    50. 506 Variant Also Negotiates [Translate]
    51. 507 Insufficient Storage [Translate]
    52. 508 Loop Detected [Translate]
    53. 511 Network Authentication Required [Translate]
  21. CSP directives
    1. CSP: base-uri [Translate]
    2. CSP: block-all-mixed-content [Translate]
    3. CSP: child-src [Translate]
    4. CSP: connect-src [Translate]
    5. CSP: default-src [Translate]
    6. CSP: font-src [Translate]
    7. CSP: form-action [Translate]
    8. CSP: frame-ancestors [Translate]
    9. CSP: frame-src [Translate]
    10. CSP: img-src [Translate]
    11. CSP: manifest-src [Translate]
    12. CSP: media-src [Translate]
    13. CSP: navigate-to [Translate]
    14. CSP: object-src [Translate]
    15. CSP: plugin-types [Translate]
    16. CSP: prefetch-src [Translate]
    17. CSP: referrer [Translate]
    18. CSP: report-to [Translate]
    19. CSP: report-uri [Translate]
    20. CSP: require-sri-for [Translate]
    21. CSP: sandbox [Translate]
    22. CSP: script-src [Translate]
    23. CSP: script-src-attr [Translate]
    24. CSP: script-src-elem [Translate]
    25. CSP: style-src [Translate]
    26. CSP: style-src-attr [Translate]
    27. CSP: style-src-elem [Translate]
    28. CSP: trusted-types [Translate]
    29. CSP: upgrade-insecure-requests [Translate]
    30. CSP: worker-src [Translate]
  22. CORS errors
    1. Reason: CORS disabled [Translate]
    2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz' [Translate]
    3. Reason: CORS header 'Access-Control-Allow-Origin' missing [Translate]
    4. Reason: CORS header ‘Origin’ cannot be added [Translate]
    5. Reason: CORS preflight channel did not succeed [Translate]
    6. Reason: CORS request did not succeed
    7. Reason: CORS request external redirect not allowed [Translate]
    8. Reason: CORS request not HTTP [Translate]
    9. Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’ [Translate]
    10. Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’ [Translate]
    11. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed [Translate]
    12. Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’ [Translate]
    13. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ [Translate]
    14. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’ [Translate]
    15. Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel
  23. Feature-Policy directives
    1. Feature-Policy: accelerometer [Translate]
    2. Feature-Policy: ambient-light-sensor [Translate]
    3. Feature-Policy: autoplay [Translate]
    4. Feature-Policy: battery [Translate]
    5. Feature-Policy: camera [Translate]
    6. Feature-Policy: display-capture [Translate]
    7. Feature-Policy: document-domain [Translate]
    8. Feature-Policy: encrypted-media [Translate]
    9. Feature-Policy: fullscreen [Translate]
    10. Feature-Policy: geolocation [Translate]
    11. Feature-Policy: gyroscope [Translate]
    12. Feature-Policy: layout-animations [Translate]
    13. Feature-Policy: legacy-image-formats [Translate]
    14. Feature-Policy: magnetometer [Translate]
    15. Feature-Policy: microphone [Translate]
    16. Feature-Policy: midi [Translate]
    17. Feature-Policy: oversized-images [Translate]
    18. Feature-Policy: payment [Translate]
    19. Feature-Policy: picture-in-picture [Translate]
    20. Feature-Policy: publickey-credentials [Translate]
    21. Feature-Policy: speaker [Translate]
    22. Feature-Policy: sync-xhr [Translate]
    23. Feature-Policy: unoptimized-images [Translate]
    24. Feature-Policy: unsized-media [Translate]
    25. Feature-Policy: usb [Translate]
    26. Feature-Policy: vibrate [Translate]
    27. Feature-Policy: vr [Translate]
    28. Feature-Policy: wake-lock [Translate]
    29. Feature-Policy: xr [Translate]
    30. Feature-Policy: xr-spatial-tracking [Translate]