X-Content-Type-Options is a header that tells a browser to not try and “guess” what a mimetype of a resource might be, and to just take what mimetype the server has returned as fact.
For a long time, anything within a script tag like so :
On it’s own the header might not block much, but when you are securing a site you close every door possible.
Another popular reason for using this header is that it stops “hotlinking” of resources. Github recently implemented this header so that people wouldn’t reference scripts hosted in repositories.
X-Content-Type-Options : nosniff
This is the only setting available for this header. It’s an on/off type header with no other “settings” available.
Setting X-Content-Type-Options At The Code Level
Like other headers, the easiest way is to use a custom middleware like so :
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
app.Use(async (context, next) =>
Setting X-Content-Type-Options At The Server Level
When running .net core in production, it is very unlikely that you will be using Kestrel without a web server infront of it (Infact you 100% should not be), so some prefer to set headers at the server level. If this is you then see below.
Setting X-Content-Type-Options in IIS
You can do this in Web.config but IIS Manager is just as easy.
- Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Double click the “HTTP Response Headers” icon.
- Right click the header list and select “Add”
- For the “name” write “X-Content-Type-Options” and for the value “nosniff”
Setting X-Content-Type-Options in Apache
In your httpd.conf file you need to append the following line :
Header always append X-Content-Type-Options nosniff
Setting X-Content-Type-Options in htaccess
Header append X-Content-Type-Options "nosniff"
Setting X-Content-Type-Options in NGINX
In nginix.conf add the following line. Restart NGINIX after.
add_header X-Content-Type-Options "nosniff";