MIME detection by browsers examines the content of a particular asset to determine its format, this validation is useful when the metadata don’t determine the format of the resource.
Although MIME detection is a useful feature, it also causes security problems.
The configuration of the HTTP response header
X-Content-Type-Options deactivates and indicates that the MIME types exposed in the` Content-Type` headers aren’t followed or changed, ensuring the correct MIME types configuration.
The detection of MIME detection can cause a security vulnerability that affects website owners and visitors, in this attack the attacker takes advantage of the detection and sends a cross-site scripting (XSS) attack.
Such a vulnerability occurs when a website allows users to upload data to the server, in this scenario an attacker disguises a PHP script as a different file type, for example, a JPG image. This allows the attacker to load the script and, in this case the browser will render it as a PHP file, giving the attacker the ability to run XSS.
Adds header configuration in
nginx.conf. This configuration must be in the
http section to apply for all servers (vhosts).