Skills

x-content-type

Installation
SKILL.md

Set X-Content-Type-Options: nosniff

Browsers that MIME-sniff can be tricked into executing malicious JavaScript uploaded as an image — even if the server sends Content-Type: image/png. nosniff forces the browser to honor the declared type.

Quick Reference

  • Set X-Content-Type-Options: nosniff on all responses — the only valid value is nosniff
  • Without this header, browsers may execute a JavaScript file disguised as an image if the server serves it with the wrong MIME type
  • This header is required by OWASP's security hardening checklist and the Fetch specification
  • Pair with correct Content-Type headers on all responses for defense in depth
  • Takes 5 minutes to configure and has no compatibility issues

Check

Check whether the server sends an X-Content-Type-Options: nosniff header on responses. Verify the header is present on HTML pages, scripts, stylesheets, and API responses.

Fix

Add X-Content-Type-Options: nosniff to all HTTP responses. Configure it at the web server level (Nginx, Apache) or in your application framework, and verify with curl -I https://example.com.

Installs
1
Repository
thedaviddias/fr…hecklist
GitHub Stars
73.0K
First Seen
7 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
x-content-type — thedaviddias/front-end-checklist