This guide explains how to protect your website and its visitors from malicious exploitation of MIME-Type sniffing.

Preamble

• MIME-Type sniffing, or MIME type detection, is a technique used by web browsers to determine the content type of a resource when the MIME type provided by the server is ambiguous, missing, or incorrect.
• While this can sometimes improve the user experience by making content accessible despite server configuration errors, this feature also introduces significant security vulnerabilities:
  • When a browser performs MIME-Type sniffing, it can interpret a text file as an executable script, thus opening the door to cross-site scripting (XSS) attacks; for example, a file intended to be treated as plain text could be interpreted as JavaScript, allowing an attacker to execute malicious code on the user's browser.
• By disabling MIME-Type sniffing, you protect visitors against the unauthorized execution of malicious scripts and also enhance the overall security of your website by reducing potential attack vectors.

Disable MIME-Type sniffing

To protect users and web applications from this type of vulnerability, it is possible to disable automatic resource type detection via the .htaccess file of your sites in order to instruct the browser to strictly rely on the MIME type specified by the server without attempting to guess it.

By placing the code below in your .htaccess file, you ensure that MIME-Type sniffing is disabled as long as the mod_headers module (which allows adding the header below) is enabled on your Apache server:

1. Open the .htaccess file for the relevant site from the FTP Manager or an FTP software/client.

2. Add the following code:

   <IfModule mod_headers.c>
       Header always set X-Content-Type-Options "nosniff"
   </IfModule>

3. Save the .htaccess file.