Security/Guidelines/Web Security: Difference between revisions

m
→‎X-Content-Type-Options: add version of firefox that includes support for this feature
m (→‎X-Content-Type-Options: add version of firefox that includes support for this feature)
Line 594: Line 594:
= X-Content-Type-Options =
= X-Content-Type-Options =


<tt>X-Content-Type-Options</tt> is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the <tt>X-Content-Type-Options</tt> header and the appropriate MIME types for files that they serve.
<tt>X-Content-Type-Options</tt> is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the <tt>X-Content-Type-Options</tt> header and the appropriate MIME types for files that they serve.


== Examples ==
== Examples ==


<pre># Prevent IE and Chrome from incorrectly detecting non-scripts as scripts
<pre># Prevent browsers from incorrectly detecting non-scripts as scripts
X-Content-Type-Options: nosniff</pre>
X-Content-Type-Options: nosniff</pre>


Line 604: Line 604:


* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]


= X-Frame-Options =
= X-Frame-Options =
Confirmed users
65

edits