Nucleus Powered Mitochondria
    Have ideas to improve npm?Join in the discussion! »

    dont-sniff-mimetype
    TypeScript icon, indicating that this package has built-in type declarations

    1.1.0 • Public • Published

    "Don't infer the MIME type" middleware

    Build Status

    Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript.

    Browsers' same-origin policies generally prevent remote resources from being loaded dangerously, but vulnerabilities in web browsers can cause this to be abused. Some browsers, like Chrome, will further isolate memory if the X-Content-Type-Options header is seen.

    There are some other vulnerabilities, too.

    This middleware prevents Chrome, Opera 13+, IE 8+ and Firefox 50+ from doing this sniffing. The following example sets the X-Content-Type-Options header to its only option, nosniff:

    const nosniff = require('dont-sniff-mimetype')
    app.use(nosniff())

    MSDN has a good description of how browsers behave when this header is sent.

    Install

    npm i dont-sniff-mimetype

    DownloadsWeekly Downloads

    711,015

    Version

    1.1.0

    License

    MIT

    Unpacked Size

    4.97 kB

    Total Files

    6

    Last publish

    Collaborators

    • avatar