Confirmed users
65
edits
Security/Guidelines/Web Security: Difference between revisions
Security/Guidelines/Web Security (view source)
Revision as of 14:26, 29 August 2016
, 29 August 2016→X-Content-Type-Options: add version of firefox that includes support for this feature
m (→X-Content-Type-Options: add version of firefox that includes support for this feature) |
|||
| Line 594: | Line 594: | ||
= X-Content-Type-Options = | = X-Content-Type-Options = | ||
<tt>X-Content-Type-Options</tt> is a header supported by Internet Explorer and | <tt>X-Content-Type-Options</tt> is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the <tt>X-Content-Type-Options</tt> header and the appropriate MIME types for files that they serve. | ||
== Examples == | == Examples == | ||
<pre># Prevent | <pre># Prevent browsers from incorrectly detecting non-scripts as scripts | ||
X-Content-Type-Options: nosniff</pre> | X-Content-Type-Options: nosniff</pre> | ||
| Line 604: | Line 604: | ||
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks] | * [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks] | ||
= X-Frame-Options = | = X-Frame-Options = | ||