Product SiteDocumentation Site

3.2.7. X-Content-Type-Options

To provide better compatibility modern browesers usually come with a content-type sniffing algorithm, which allows them to infer content type of file by inspecting its content. This is useful in cases when HTTP reponse does not include Content-Type header or if its mismatched. By correctly rendering the content and ignoring mismatched MIME type browser gains competitive advantage over other browser who do not render such file correctly.
Even though such behaviour enhances user experience, it also has impact on security. Suppose web application allows users to upload and download content and to protect from malicious file types, it implements content type filters that ban possibly dangerous file types. Attacker can upload malicious file with benign Content-Type that will pass web applications filters and server will store the file along with declared MIME type. When users download such file, server will include stored type in Content-Type header. However, browser's content-type sniffing algorithm will determine the correct type and ignore received Content-Type header, making the client vulnerable.
To prevent browsers from using content-type sniffing, server can include
X-Content-Type-Options: nosniff
header to enforce the type sent in Content-Type header.

3.2.7.1. References