Don't Sniff Mimetype
Written by Ulises GascónApr 08, 2020 — 2 min read
MIME types are a way of determining what kind of file you’re looking at. PNG images have the type
image/png; JSON files are
Content-Type header to determine what the thing is.
Let’s say that your browser sees this:
It’ll go and load
example.com sends a
Content-Type header of
But what if
This MIME sniffing can be an attack vector. A user could upload an image with the
X-Content-Type-Options header tells browsers not to sniff MIME types. When this header is set to
nosniff, browsers won’t sniff the MIME type—they will trust what the server says and block the resource if it’s wrong.
noSniff middleware will set the
X-Content-Type-Options header to
nosniff for every request.
const helmet = require('helmet') //By default: Sets "X-Content-Type-Options: nosniff". app.use(helmet()) // Sets "X-Content-Type-Options: nosniff". app.use(helmet.noSniff())
- Helmet | Don't Sniff Mimetype
- Fox it | MIME Sniffing: feature or vulnerability?
- Miki Blog | Abusing JSONP with Rosetta Flash
- MDN | X-Content-Type-Options
- Microsoft | Reducing MIME type security risks