We use the internet for every task in the technological age we currently live in. Since people and large corporations rely on the internet for a variety of transactions, including financial ones, experts are working around the clock to make it safe. However, the internet should also be equally secure. This security is considered when introducing X-content-type-options. In this article, I will put light on the topic, and the use of X-content-type-options. How to configure Apache and Nginx servers to activate the option.
What X-content-type-options is #
To understand the x-content-type-options, we need to understand the MIME Type. A media type, commonly referred to as a MIME type or multipurpose internet mail extension, describes the structure and content of a file, document, or collection of bytes. All MIME (Multipurpose Internet Mail Extensions) Types were created and standardized by the Internet Engineering Task Force (IETF) in their documents (RFC6838), and the Internet Assigned Numbers Authority is in charge of all official MIME Types (IANA). On the IANA's official website, you may find the most recent list of all MIME types.
The HTTP header X-Content-Type-Options serves as a marker indicating that the server should not change the MIME-types headers in the content types headers. The Microsoft Internet Explorer 8 version is where this header first appeared. The content sniffing is prevented by this header (non-executable MIME type into executable MIME type). Following that, all other browsers made the X-Content-Type-Options available as well, and their MIME sniffing algorithms became less invasive.
By making it necessary for the browser to use the MIME type given by the origin server and turning off IE and Chrome's MIME sniffing features, this security header aids in preventing these kinds of attacks. I will explain the functionality of the work to see how X-Content-Type-Options functions for a specific web request.
How do the X-content-type-options work #
Let's look at an example to better understand how the header works: a Chrome client contacts a web server to request an asset, which may be anything from an image, video, or PDF file. The client receives a response from the browser with the header X-Content-Type-Options: nosniff. This stops the client from "sniffing" the asset to see if the file type differs from what the server has declared.
Information: When an attacker employs a packet sniffer to intercept and read sensitive data traveling via a network, it is known as a sniffing attack.
The asset is subsequently displayed to the viewer after the browser accepts the MIME type specified by the origin server.
Information: Request-blocking caused by nosniff is only enforced by X-Content-Type-Options for requests with the destinations "script" and "style". While excluding image and image plus xml files, it also allows Cross-Origin Read Blocking (CORB) protection for HTML, TXT, JSON, and XML files.
How to switch the option on #
When any user gets to know about these security features, he will want to use them. Any user can follow these steps to switch on this security feature on its origin server. Which snippet you should include in your server's configuration file will depend on the web server you're deploying. You don't need to worry if you use cloud-based security protection like SUCURI because this is already turned on by default. Consider these steps before applying or changing any configuration file.
- To restore a configuration file in case something goes wrong, make a backup of the current version.
- You can use the HTTP Header Checker online tool to validate the header response.
What needs to be added to the Apache and Nginx web servers is described in the next section.
Apache Server configuration #
Making sure mod headers.so is enabled requires editing the httpd.conf file.
LoadModule headers_module modules/mod_headers.so
If the above line is commented out then uncomment it.
To use the x-content-type-options, Apache users should add the following code to their .htaccess file.
Header set X-Content-Type-Options "nosniff"
To make changes take effect, save the configuration file and restart Apache.
It's very easy to enable your web server to transmit the X-Content-Type-Options header. Even though our online security header does not yet fully guard against all XSS threats, it is simple to use and unquestionably a start in the right direction towards a safer website.
Nginx Server configuration #
If you are using the Nginx server then you should include the following code in the .conf file. Once the code is included in the .conf file restart your server to employ the changes.
add_header X-Content-Type-Options "nosniff"
If you use shared hosting from SiteGround or another provider that supports .htaccess files
Go to File Manager after logging in to cPanel and making the following changes to the .htaccess file.
Header set X-Content-Type-Options nosniff
To view the results, save the file and reload the page.
What it does not protect #
X-Content-Type-Options does not defend against attacks against users of other browsers because it is only supported by a select few of them. It is expected to work specifically on Firefox 50, Chrome, and IE 50. It doesn't stop some other attacks, such as the uploading of malicious software or objectionable material or something that makes use of a browser flaw. If a plugin of some kind that is not supported is used to gather resources, it will also stop being protective. Because of this, internet security gurus advise against using Content-Type: application/octet-stream and instead advise using application/binary, especially for unidentified document types. Likewise, don't return Content-Type: text/plain.
It is strongly advised to utilize the X-Content-Type-Options header, however other browsers only support it to a limited extent. It cannot, therefore, be relied upon as the only safeguard against content sniffing.
The Conclusion #
X-content-type-options is an HTTP header, introduced to make the internet secure from sniffer attacks. It functions as a safeguard between the user and the server to prevent sniffing attacks. The user can activate this safeguard on its website if he is using shared hosting. If the user is using Apache or Nginx server he can activate this safeguard with small changes in the configuration files of the servers.