1. Home
  2. Web Security Solutions
  3. Solution – How to set X-Content-Type-Options Header

Solution – How to set X-Content-Type-Options Header

How to implement the X-Content-Type-Options Header

You can set this header by adding a rule to your web server’s configuration file. There is only one (1) valid value for this header. This header forces a browser to use the content type provided in the web page source code instead of a browser trying to do its own assessment (also known as MIME sniffing). Below is the header and value.

X-Content-Type-Options: nosniff

 

Note: Different web servers have different configuration files. Choose the one below that applies to your website.

 

Apache web servers:

Using .htaccess configuration file.

If you’re on a shared hosting plan, you’ll only have access to create rules in the .htaccess configuration file. Follow these steps:

  1. Go to your website’s root folder, open the .htaccess file. Note: You should be able to do this using either an FTP application such as Filezilla or your hosting provider’s online File manager.
  2. Copy one (1)of the following lines into the .htaccess (after any existing rules) and save it. The header should now be set.
X-Content-Type-Options: nosniff

 

Using httpd.conf configuration file

If you’re on a dedicated hosting plan that gives you access to the web server’s root configuration file httpd.conf, then:

  1. Go to your website’s root folder, open the conf. Note: You should be able to do this using either an FTP application such as Filezilla or your hosting provider’s online File manager.
  2. Copy one (1) of the following lines into the conf file (after any existing rules) and save it. The header should now be set.
X-Content-Type-Options: nosniff

Microsoft IIS web server

<httpProtocol>
    <customHeaders>
        <add name=" X-Content-Type-Options " value="nosniff " />
    </customHeaders>
</httpProtocol>

NGINX web server

Copy one(1) of the following lines into server block configuration.

add_header X-Content-Type-Options "nosniff " always;

 

NOTE: Some CMSs such as WordPress offer plugins you can use to set headers using a point and click type interface, in case you feel uncomfortable modifying the configuration file directly.

 

How to verify the X-Content-Type-Options header is set

Use your browser’s built-in function to view HTTP Headers as below:

Using Google Chrome and Firefox browser:

  1. Open the web page
  2. Right-click anywhere on the page and select “Inspect element”
  3. Go to the “Network Tab”
  4. Refresh the page and select the page’s URL from the list of loaded resources
  5. Look under the panel for “Response Headers” to see if the X-Content-Type-Options header is set as you configured.

 

Why implement the X-Content-Type-Options Header

This header should be used when you want to use the built-in filter of browsers to protect against Cross Site Scripting (XSS) attacks.

Updated on November 24, 2018

Was this article helpful?

Related Articles