Mime Sniffing Analyzer PRO

Category	Severity	Time To Fix
🛡️ Security	Major	5 minutes

Class: Enlightn\EnlightnPro\Analyzers\Security\MimeSniffingAnalyzer

Introduction

This analyzer detects whether your application sets the X-Content-Type-Options header. This header tells browsers to not ignore explicitly defined content types and helps prevent MIME sniffing attacks.

In a MIME sniffing attack, an attacker disguises an HTML file as a different file type and uploads the file to the web server. Consequently, the browser will render it as an HTML file therefore providing the attacker with the possibility to execute XSS.

How To Fix

To fix this issue, you may set the X-Content-Type-Options header on your web server.

For Nginx, you may use the add_header directive in your server or location block:

add_header X-Content-Type-Options "nosniff";

For Apache, you may use the Header directive in your <VirtualHost>, <Directory> or <Location> container:

Header set X-Content-Type-Options "nosniff"

Skip Condition

This analyzer is skipped for stateless apps (e.g. API only).

References

• Introduction to Mime Sniffing (opens new window)
• Introduction to the X-Content-Type-Options Header (opens new window)
• Nginx Add Header Directive (opens new window)
• Apache Header Directive (opens new window)