Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

@hint/hint-x-content-type-options

Package Overview
Dependencies
Maintainers
5
Versions
53
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@hint/hint-x-content-type-options

hint for best practices related to the usage of the X-Content-Type-Options response header.

  • 4.0.23
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
15K
decreased by-13.62%
Maintainers
5
Weekly downloads
 
Created
Source

Use X-Content-Type-Options header (x-content-type-options)

x-content-type-options requires that all resources are served with the X-Content-Type-Options: nosniff HTTP response header.

Why is this important?

Sometimes the metadata browsers need to know how to interpret the content of a resource is either incorrect, not reliable, or absent. In those cases, browsers use contextual clues that inspect the bytes of the response to detect the file format. This is known as MIME sniffing and it is done regardless of the specified Content-Type HTTP header sent by servers.

For example, if a browser requests a script, but that script is served with an incorrect media type (e.g. x/x), the browser will still detect the script and execute it.

While content sniffing can be beneficial, it can also expose the web site/app to attacks based on MIME-type confusion leading to security problems, especially in the case of servers hosting untrusted content.

Fortunately, browsers provide a way to opt-out of MIME sniffing by using the X-Content-Type-Options: nosniff HTTP response header.

Going back to the previous example, if the X-Content-Type-Options: nosniff header is sent for the script and the browser detects that it’s a script and it wasn’t served with one of the JavaScript media types, the script will be blocked.

While modern browsers respect the header mainly for scripts and stylesheets, Chromium uses this response header on other resources for Cross-Origin Read Blocking.

What does the hint check?

The hint checks if all resources are served with the X-Content-Type-Options HTTP headers with the value of nosniff.

Examples that trigger the hint

Resource is not served with the X-Content-Type-Options HTTP header.

HTTP/... 200 OK

...

Content-Type: image/png

Script is served with the X-Content-Type-Options HTTP header with the invalid value of no-sniff.

HTTP/... 200 OK

...
Content-Type: text/javascript; charset=utf-8
X-Content-Type-Options: no-sniff

Examples that pass the hint

Script is served with the X-Content-Type-Options HTTP header with the valid value of nosniff.

HTTP/... 200 OK

...
Content-Type: text/javascript; charset=utf-8
X-Content-Type-Options: nosniff

How to configure the server to pass this hint

How to configure Apache

Apache can be configured to add headers using the Header directive.

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
</IfModule>

Note that:

  • The above snippet works with Apache v2.2.0+, but you need to have mod_headers enabled for it to take effect.

  • If you have access to the main Apache configuration file (usually called httpd.conf), you should add the logic in, for example, a <Directory> section in that file. This is usually the recommended way as using .htaccess files slows down Apache!

    If you don't have access to the main configuration file (quite common with hosting services), add the snippets in a .htaccess file in the root of the web site/app.

For the complete set of configurations, not just for this rule, see the Apache server configuration related documentation.

How to configure IIS

You can add this header unconditionally to all responses.

<configuration>
     <system.webServer>
        <httpProtocol>
            <customHeaders>
                <add name="X-Content-Type-Options" value="nosniff" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>

Note that:

  • The above snippet works with IIS 7+.
  • You should use the above snippet in the web.config of your application.

For the complete set of configurations, not just for this rule, see the IIS server configuration related documentation.

How to use this hint?

This package is installed automatically by webhint:

npm install hint --save-dev

To use it, activate it via the .hintrc configuration file:

{
    "connector": {...},
    "formatters": [...],
    "hints": {
        "x-content-type-options": "error",
        ...
    },
    "parsers": [...],
    ...
}

Note: The recommended way of running webhint is as a devDependency of your project.

Further Reading

Keywords

FAQs

Package last updated on 29 Aug 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc