Rule from http under security category
Passmarked is made out of users just like you who helped supply some content. Click below to contribute to this rule. We need you.Add content to this rule
When your server serves a file, the browser uses the content-type as specified by your server. Certain (legacy) servers have problems serving the correct MIME type which resulted in Microsoft adding a feature which tries to "sniff" the content-type (en.wikipedia.org/wiki/Content_sniffing). This is done by looking at the first 256 bytes of a file.
This introduced an attack vector which could allow an attacker to upload an image file (for example) containing HTML which the browser will execute.
This HTTP header forces the browser to use the declared content-type and stops the browser from MIME sniffing.
The recommended value:
Although you may set http headers in your application code it is often simpler to configure the web server to set it properly.
// nginx add_header X-Content-Type-Options nosniff; // apache <IfModule mod_headers.c> Header set X-Content-Type-Options: nosniff </IfModule>
Passmarked works best when you have an account. It allows you to keep a dashboard with saved data of the sites you have run through the system, we’ll alert you about important updates and you get access to the Passmarked Slack forum.Sign up to get started