How to use X-Content-Type-Options to prevent MIME sniffing

What is MIME sniffing?

MIME sniffing is a technique implemented by web browsers to determine the type of page content, regardless of the server's transmitted content type.

Note: MIME refers to Multipurpose Internet Mail Extensions. It is a protocol that allows the exchange of different types of files via emails, including images, audio, video, and application programs.

MIME sniffing consists of the following steps:

1. The browser requests a specific element. The response either consists of no content type or the content type set by the server.

2. The browser analyzes the magic bytesA block of byte values to identify filetype of the elements to guess their content type.

3. The browser then compares the content type produced by the server and its analysis. If there is a mismatch, it uses its content type.

Vulnerabilities in MIME sniffing

An attacker can exploit the vulnerabilities in MIME sniffing if a website allows users to upload data to the server. They can do so by disguising an HTML file as an acceptable file type, such as an image or audio. Consider the example below:

Suppose a website only accepts audio files as uploads. An attacker can then disguise an HTML file as an audio file. The website will accept this malicious file, but as a user attempts to open it, the browser's MIME sniffing algorithm treats it as an HTML file and executes the code. The vulnerability is illustrated below:

Using X-Content-Type-Options

The X-Content-Type-Options is an additional HTTP header that, when used with the nosniff attribute, forces a browser to accept the content type sent by the server. Therefore, it prevents MIME sniffing.

Since the browser is no longer "sniffing" or analyzing the content type of page element, we must carefully ensure that the correct type is being communicated to the browser.

Command

The server's X-Content-Type-Options HTTP response header is set to nosniff using the following command: