Security: Use content sniffing protection #13
Labels
bug
Something isn't working
enhancement
New feature or request
help wanted
Extra attention is needed
Describe the bug
Turn off browser content sniffing to protect against content sniffing exploits. When processing a response, browsers sometimes ignore the MIME type in the Content-Type header and guess the type based on the contents of the response. This is called content sniffing and is done to improve the user experience when Content-Type headers are inaccurate or missing. However, this behaviour can be exploited. For example, if our site allows users to share images, an attacker might be able to upload a specially crafted image file that contains JavaScript code. A browser performing content sniffing might then be tricked into executing the malicious file.
To Reproduce
X-Content-Type-Options headers: None
Expected behavior
To reduce content sniffing attacks, set the X-Content-Type-Options response header to nosniff. This tells browsers to avoid guessing response types and to rely only on the Content-Type header.
The text was updated successfully, but these errors were encountered: