The MIME Sniffing Vulnerability
Browsers use MIME sniffing to interpret files when the server provides incorrect or missing Content-Type headers. This can lead to:
- XSS via disguised scripts
- Content spoofing attacks
- Drive-by downloads
How nosniff Works
1. Request
Browser requests resource
2. Response
Server includes X-Content-Type-Options: nosniff
3. Enforcement
Browser honors declared Content-Type
Implementation Examples
Apache
Header set X-Content-Type-Options nosniff
Nginx
add_header X-Content-Type-Options nosniff;
Content-Type Best Practices
| File Type | Correct Content-Type |
|---|---|
| HTML | text/html; charset=utf-8 |
| JavaScript | application/javascript |
| CSS | text/css |