什么是“X-Content-Type-Options = nosniff”? [英] What is "X-Content-Type-Options=nosniff"?
问题描述
我正在使用OWASP ZAP在本地主机上进行一些渗透测试,并持续报告此消息:
Anti-MIME-嗅探标题X-Content-Type-Options未设置为
'nosniff'
此检查特定于Internet Explorer 8和Google Chrome。
如果Content-Type标题未知,则确保每个页面都设置Content-Type标题和
X-CONTENT-TYPE-OPTIONS
我不知道这意味着什么,也找不到任何在线内容。我已经尝试添加:
< meta content =text / html; charset = UTF-8; X-Content-Type -Options = nosniffhttp-equiv =Content-Type/>
但我仍然收到警报。
设置参数的正确方法是什么?
它可以防止浏览器进行MIME类型的嗅探。大多数浏览器现在都尊重这个标题,包括Chrome / Chromium,Edge,IE> = 8.0,Firefox> = 50和Opera> = 13。请参阅:
发送带值
的新X-Content-Type-Options响应头nosniff将阻止Internet Explorer从MIME中嗅探响应
编辑:
哦这是一个HTTP标题,而不是HTML元标记选项。
另请参阅: http://msdn.microsoft.com/en-us/library/ie/gg622941(v = vs.85).aspx
I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message:
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'
This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown
I have no idea what this means, and I couldn't find anything online. I have tried adding:
<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />
but the I still get the alert.
What is the correct way of setting the parameter?
It prevents the browser from doing MIME-type sniffing. Most browsers are now respecting this header, including Chrome/Chromium, Edge, IE >= 8.0, Firefox >= 50 and Opera >= 13. See :
Sending the new X-Content-Type-Options response header with the value nosniff will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type.
EDIT:
Oh and, that's an HTTP header, not a HTML meta tag option.
See also : http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
这篇关于什么是“X-Content-Type-Options = nosniff”?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!