Middleware to help prevent mimetype from being sniffed
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
README.md var → const in README Jul 21, 2018
package.json Use npm's "pretest" to lint Jan 11, 2018


"Don't infer the MIME type" middleware

Build Status js-standard-style

Looking for a changelog?

Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript. There are some other vulnerabilities, too.

This middleware prevents Chrome, Opera 13+, IE 8+ and Firefox 50+ from doing this sniffing. The following example sets the X-Content-Type-Options header to its only option, nosniff:

const nosniff = require('dont-sniff-mimetype')

MSDN has a good description of how browsers behave when this header is sent.