0

I have read about X-Content-Type-Options and it says often that it protects against IE mime sniffing problems.

I am wondering if in 2021 it is still valid and a problem for modern browsers? In other words, will it be beneficial for my web server that serves html, images, etc. to have this header on?

Ilya Chernomordik
  • 2,197
  • 1
  • 21
  • 36
  • 1
    Sadly, even in 2021, there are still a non-trivial number of people who are not using modern browsers - especially in areas like big enterprises, healthcare and government. – Gh0stFish Oct 22 '21 at 13:14
  • Yes, that is definitely the case, but lets say it's their fault if they do. So I am wondering if those who do use modern browsers are protected by default of not nowadays? – Ilya Chernomordik Oct 23 '21 at 16:47

1 Answers1

0

Hmm, I ve got the same worry about MIME sniffing nowadays. I tested Edge/Chrome/Firefox & Opera and it seems that 'modern' browsers don't use 'sniffing' anymore : if I set 'nosniff' option or not on the web server and I rename html file into jpg file, these browser always tries to display an image. If browser uses the 'sniffing', it should have displayed an html page. If user still uses 'old' browser, it may has potentially others security issues. (it is like to not update its antivirus app).

Arnaud
  • 1
  • Sniffing has less to do with the extension than the `Content-Type` response header. Were you sending that at all? If so, what value(s) were you using, and were you editing it when you changed the extension? – CBHacking Sep 10 '22 at 01:15