Middleware to help prevent mimetype from being sniffed
JavaScript
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
test
.gitignore
.npmignore
.travis.yml
LICENSE
README.md var → const in README Jul 21, 2018
index.js
package-lock.json
package.json Use npm's "pretest" to lint Jan 11, 2018

README.md

"Don't infer the MIME type" middleware

Build Status js-standard-style

Looking for a changelog?

Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript. There are some other vulnerabilities, too.

This middleware prevents Chrome, Opera 13+, IE 8+ and Firefox 50+ from doing this sniffing. The following example sets the X-Content-Type-Options header to its only option, nosniff:

const nosniff = require('dont-sniff-mimetype')
app.use(nosniff())

MSDN has a good description of how browsers behave when this header is sent.