Skip to main content

.htaccess Prevent from MIME Sniffing

Prevent from MIME Sniffing the response

To prevent some browsers from MIME-sniffing the response, the following steps should be followed:

  1. Restricts all fetches by default to the origin of the current website by setting the default-src directive to 'self' (which acts as a fallback to all Fetch directives)

    • This is convenient as you do not have to specify all Fetch directives that apply to your site, for example: connect-src 'self'; font-src 'self'; script-src 'self'; style-src 'self', etc
    • This restriction also means that you must explicitly define from which site(s) your website is allowed to load resources from, otherwise it will be restricted to the same origin as the page making the request

  2. Disallows the <base> element on the website. This is to prevent attackers from changing the locations of resources loaded from relative URLs

    • If you want to use the <base> element, then use base-uri 'self' instead

  3. Only allows form submissions are from the current origin with: form-action 'self'

  4. Prevents all websites (including your own) from embedding your webpages within e.g. the <iframe> or <object> element by setting: frame-ancestors 'none'.

    • The frame-ancestors directive helps avoid clickjacking attacks and it is similar to the X-Frame-Options header
    • Browsers that support the CSP header will ignore X-Frame-Options if frame-ancestors is also specified

  5. Forces the browser to treat all the resources that are served over HTTP as if they were loaded securely over HTTPS by setting the upgrade-insecure-requests directive

note

upgrade-insecure-requests does not ensure HTTPS for the top-level navigation. If you want to force the website itself to be loaded over HTTPS you must include the Strict-Transport-Security header

  1. Includes the Content-Security-Policy header in all responses that are able to execute scripting. This includes the commonly used file types: HTML, XML and PDF documents. Although Javascript files can not execute scripts in a "browsing context", they are included to target web workers.

Some older browsers would try and guess the content type of a resource, even when it isn't properly set up on the server configuration. This reduces exposure to drive-by download attacks and cross-origin data leaks.

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
</IfModule>

Table of Contents