You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

doc-sniff

Package Overview
Dependencies
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

doc-sniff

A helper for combating incorrect content-type, aka a mime sniffing module for node.js

1.0.1
latest
Source
npmnpm
Version published
Weekly downloads
959
-26.17%
Maintainers
1
Weekly downloads
 
Created
Source

doc-sniff

npm version build status coverage status dependency status

A helper for combating incorrect content-type, aka a mime sniffing module for node.js

Motivation

So you have made a http request and got back some headers and a response body, but you just don't know if that innocent Content-Type header tells you what really goes on in its body.

Enter doc-sniff, a much simpler implementation of whatwg mime sniffing algorithm. Specifically for those responses that can't be easily distinguished via file extensions or magic numbers, eg. HTML, XML documents.

Install

npm install doc-sniff --save

Usage

var docsniff = require('doc-sniff');

var mime1 = docsniff(false, '<html></html>');
console.log(mime1); // text/html

var mime2 = docsniff('text/html', '<?xml version="1.0" encoding="UTF-8" ?><feed></feed>');
console.log(mime2); // application/atom+xml

var mime3 = docsniff('application/xml; charset=UTF-8', '<?xml version="1.0" encoding="UTF-8" ?><feed></feed>');
console.log(mime3); // application/xml

Currently this module will correct following mime:

  • text/html
  • text/xml
  • text/plain
  • application/xml
  • application/rss+xml
  • application/atom+xml
  • application/rdf+xml
  • application/octet-stream

It does not attempt to be overzealous at correcting subtypes; see example 3 above, if original mime is acceptable, it will not be replaced.

API

docsniff(type, body);

  • type is the content-type header in response
  • body is the response body string
  • returns the sniffed content-type as string

Limits

The whatwg spec has a much more thorough algorithm and mime list for browser vendors, but on server-side, we are more interested in parsable documents and information extractions, if you encounter a use case not covered by this algorithm, please let us know on github issues.

Like any simple algorithm, this can easily be spoofed, so don't use it for validation, use it for mime sniffing incoming documents only.

(For better security: mime and mmmagic can handle most filetypes, but you still need XSS protections and content whitelist to safely serve content to users.)

License

MIT

Keywords

sniff
mime
content-type

FAQs

Package last updated on 29 Jan 2015

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape

Research

/

Security News

Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape

A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).

By Jonathan Leitschuh  -  Aug 01, 2025
Introducing Rust Support in Socket

Product

Introducing Rust Support in Socket

Socket now supports Rust and Cargo, offering package search for all users and experimental SBOM generation for enterprise projects.

By Trevor Norris  -  Jul 31, 2025