This site uses cookies for analytics. By continuing to browse this site, you agree to this use.
A JS Foundation Project

Require `X-Content-Type-Options` HTTP response header

Require X-Content-Type-Options HTTP response header (@sonarwhal/rule-x-content-type-options)

x-content-type-options requires that all scripts and stylesheets are served with the X-Content-Type-Options: nosniff HTTP response header.

Why is this important?

Sometimes the metadata browsers need in order to know how to interpret the content of a resource is either incorrect, not reliable, or absent. In those cases, browsers use contextual clues that inspect the bytes of the response in order to detect the file format. This is known as MIME sniffing and it is done regardless of the specified Content-Type HTTP header sent by servers.

For example, if a browser requests a script, but that script is served with an incorrect media type (e.g. x/x), the browser will still detect the script and execute it.

While content sniffing can be beneficial, it can also expose the web site/app to attacks based on MIME-type confusion leading to security problems, especially in the case of servers hosting untrusted content.

Fortunately, browsers provide a way to opt-out of MIME sniffing by using the X-Content-Type-Options: nosniff HTTP response header.

Going back to the previous example, if the X-Content-Type-Options: nosniff header is sent for the script, if the browser detects that it’s a script and it wasn’t served with one of the JavaScript media type, the script will be blocked.

Note: Modern browsers only respect the header for scripts and stylesheets, and sending the header for other resources (such as images) when they are served with the wrong media type may create problems in older browsers.

What does the rule check?

The rule checks if all scripts and stylesheets are served with the X-Content-Type-Options HTTP headers with the value of nosniff.

Examples that trigger the rule

Resource that is not script or stylesheet is served with the X-Content-Type-Options HTTP header.

HTTP/... 200 OK

...

Content-Type: image/png
X-Content-Type-Options: nosniff

Script is served with the X-Content-Type-Options HTTP header with the invalid value of no-sniff.

HTTP/... 200 OK

...
Content-Type: text/javascript; charset=utf-8
X-Content-Type-Options: no-sniff

Examples that pass the rule

Script is served with the X-Content-Type-Options HTTP header with the valid value of nosniff.

HTTP/... 200 OK

...
Content-Type: text/javascript; charset=utf-8
X-Content-Type-Options: nosniff

How to use this rule?

To use it you will have to install it via npm:

npm install @sonarwhal/rule-x-content-type-options

Note: You can make npm install it as a devDependency using the --save-dev parameter, or to install it globally, you can use the -g parameter. For other options see npm's documentation.

And then activate it via the .sonarwhalrc configuration file:

{
"connector": {...},
"formatters": [...],
"parsers": [...],
"rules": {
"x-content-type-options": "error"
},
...
}

Further Reading