dont-sniff-mimetype
    Overview
    Documentation
    Insights
    Code
    Contributors
    Dependencies
    Alternatives

dont-sniff-mimetype

Middleware to prevent mimetype from being sniffed

1.1.0  •  Published 7 months ago  •  by helmetjs  •  MIT License

“Don’t infer the MIME type” middleware

Build Status

Some browsers will try to “sniff” mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn’t for JavaScript.

Browsers’ same-origin policies generally prevent remote resources from being loaded dangerously, but vulnerabilities in web browsers can cause this to be abused. Some browsers, like Chrome, will further isolate memory if the X-Content-Type-Options header is seen.

There are some other vulnerabilities, too.

This middleware prevents Chrome, Opera 13+, IE 8+ and Firefox 50+ from doing this sniffing. The following example sets the X-Content-Type-Options header to its only option, nosniff:

const nosniff = require('dont-sniff-mimetype')
app.use(nosniff())

MSDN has a good description of how browsers behave when this header is sent.

How do you feel about the name Devstore for this site?

Popularity

Weekly Downloads
635.6K
Stars
16

Maintenance

Development

Last ver 7 months ago
Created 5 years ago
Last commit 2 months ago
1 month between commits

Technology

Node version: 12.1.0
5K unpacked

Compliance

MIT License
OSI Approved
0 vulnerabilities

Contributors

2 contributors
Evan Hahn
Maintainer, 40 commits, 1 merges, 1 PRs
Works at Airtable
opl-
1 commits, 1 PRs
Adam Baldwin
Maintainer
Works at npm

Tags

helmet
security
express
connect
mimetype
x-content-type-options
Ready for the next level?
Join Devstore's founding team to help us build the ultimate open-source app store, work with the latest technologies, and enjoy great culture, impact and autonomy
© 2019 Devstore, Inc.
Devstore helps developers find and use open-source packages, so they can focus on building amazing things