Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript.

Browsers' same-origin policies generally prevent remote resources from being loaded dangerously, but vulnerabilities in web browsers can cause this to be abused. Some browsers, like Chrome, will further isolate memory if the X-Content-Type-Options header is seen.

There are some other vulnerabilities, too.

This middleware prevents Chrome, Opera 13+, IE 8+ and Firefox 50+ from doing this sniffing. The following example sets the X-Content-Type-Options header to its only option, nosniff:

const nosniff = require('dont-sniff-mimetype')
app.use(nosniff())

MSDN has a good description of how browsers behave when this header is sent.

Keywords

FAQs

What is dont-sniff-mimetype?

Is dont-sniff-mimetype popular?

Is dont-sniff-mimetype well maintained?

Last updated on 11 May 2019

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

dont-sniff-mimetype

"Don't infer the MIME type" middleware

Keywords

Related posts

UnitedHealth Group Discloses Protected Health Information Compromised for “Substantial Portion of People in America” in Recent Cyberattack

How Threat Actors are Abusing GitHub’s File Upload Feature to Host Malware