MIME type sniffing

MIME type sniffing is an operation conducted by many browsers. Each browser behaves differently on that matter, but overall, MIME sniffing is an action where they determine a page content type depending on that page content. This is can be dangerous as it could allow attackers to hide HTML code into a .jpg file, and have the visitor's browser interpret the page and execute client code (XSS) because the browser determined the file was HTML code instead of a JPG image.

The XCTO (X-Content-Type-Options) security header can be used to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed by the browser depending on the pages content. Websites that implement that security header with the nosniff directive must also include a valid Content-Type header in their responses.


Last updated