How to implement the X-Content-Type-Options Header

Overview

You can set this header by adding a rule to your web server’s configuration file. There is only one (1) valid value for this header. This header forces a browser to use the content type provided in the web page source code instead of a browser trying to do its own assessment (also known as MIME sniffing). Below is the header and value.  

X-Content-Type-Options: nosniff

 

Note: Different web servers have different configuration files. Choose the one below that applies to your website. 

 

Apache web servers:

Using .htaccess configuration file. 

If you’re on a shared hosting plan, you’ll only have access to create rules in the .htaccess configuration file. Follow these steps:

  1. Go to your website’s root folder, open the .htaccess file. Note: You should be able to do this using either an FTP application such as Filezilla or your hosting provider’s online File manager.
  2. Copy one (1)of the following lines into the .htaccess (after any existing rules) and save it. The header should now be set.
X-Content-Type-Options: nosniff

 

 

Using httpd.conf configuration file

If you’re on a dedicated hosting plan that gives you access to the web server’s root configuration file httpd.conf, then:

  1. Go to your website’s root folder, open the conf. Note: You should be able to do this using either an FTP application such as Filezilla or your hosting provider’s online File manager.
  2. Copy one (1) of the following lines into the conf file (after any existing rules) and save it. The header should now be set.
X-Content-Type-Options: nosniff

 

Microsoft IIS web server

Use the following code:

<httpProtocol>
    <customHeaders>  
        <add name="X-Content-Type-Options" 
    value="nosniff" />
    </customHeaders>
</httpProtocol>  

NGINX web server

Copy the following line into your server block configuration.

add_header X-Content-Type-Options "nosniff " always;

 

Note:

Some CMSs such as WordPress offer plugins you can use to set headers using a point and click type interface, in case you feel uncomfortable modifying the configuration file directly.

 

How to verify the X-Content-Type-Options header is set

Use your browser’s built-in function to view HTTP Headers as below:

Using Google Chrome and Firefox browser:

  1. Open the web page
  2. Right-click anywhere on the page and select “Inspect element”
  3. Go to the “Network Tab”
  4. Refresh the page and select the page’s URL from the list of loaded resources
  5. Look under the panel for “Response Headers” to see if the X-Content-Type-Options header is set as you configured.

 

Why implement the X-Content-Type-Options Header

This header should be used when you want to use the built-in filter of browsers to protect against Cross Site Scripting (XSS) attacks.

Link(s) for additional information on this topic