Require `X-Content-Type-Options` HTTP response header

Require X-Content-Type-Options HTTP response header (x-content-type-options)

x-content-type-options warns against not serving resources with the X-Content-Type-Options: nosniff HTTP response header.

Why is this important?

Sometimes the metadata browsers need in order to know how to interpret the content of a resource is incorrect, not reliable, or even absent. So, in order to overcome those problems and provide a better user experience, regardless of the specified Content-Type HTTP header sent by servers, browsers use contextual clues and inspect the bytes of the response (known as MIME sniffing in order to detect the file format.

For example, if a browser requests a script, but that script is served with an incorrect media type (e.g. x/x), the browser will still detect the script and execute it.

While, as previously stated, content sniffing can be beneficial, it can also expose the web site/app to attacks based on MIME-type confusion which can lead to security problems, especially in the case of servers hosting untrusted content.

Fortunately, browsers provide a way to opt-out of MIME sniffing by using the X-Content-Type-Options: nosniff HTTP response header.

Note: Most modern browsers only respect the header for scripts and styles (see also whatwg/fetch#395.

Going back to the previous example, if the X-Content-Type-Options: nosniff header is sent for the script, if the browser detects that it’s a script and it wasn’t served with one of the JavaScript media type, it will block it.

What does the rule check?

The rule checks if responses include the X-Content-Type-Options HTTP headers with the value of nosniff.

Examples that trigger the rule

HTTP/... 200 OK
HTTP/... 200 OK
X-Content-Type-Options: no-sniff

Examples that pass the rule

HTTP/... 200 OK
X-Content-Type-Options: nosniff

Further Reading