Protect your site from being tricked to run JavaScript that is not JavaScript!

By Sindastra|2019-11-02T09:12:30+01:00October 29th, 2019|Tech Support|0 Comments

The X-Content-Type-Options header tells browsers 
to stop automatically detecting the contents of files. 
This protects against attacks where they're tricked into 
incorrectly interpreting files as JavaScript. 
Simply set the header to "nosniff".

X-Content-Type-Options is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the X-Content-Type-Options header and the appropriate MIME types for files that they serve.
infosec.mozilla.org

In your Apache 2 VirtualHost simply add this line

Header always set X-Content-Type-Options: nosniff

Of course make sure you have the headers module enabled

a2endmod headers

Reload the config

systemctl reload apache2

That’s all there is to it!

External Links

https://infosec.mozilla.org/guidelines/web_security#x-content-type-options

About the Author: Sindastra

Sindastra is a software developer with over ten years of experience, specialized in backend web development. In her spare time she hacks on things and educates herself on a variety of topics. She likes to play Minecraft with friends and especially enjoys hacking on the game's server code.

Leave A Comment Cancel reply