Middleware to help prevent mimetype from being sniffed
JavaScript
Latest commit ab06524 Jan 13, 2016 @EvanHahn EvanHahn Add npmignore
Permalink
Failed to load latest commit information.
test Simplify a test Dec 18, 2015
.gitignore Initial commit Oct 28, 2014
.npmignore Add npmignore Jan 13, 2016
.travis.yml Travis should test newer Node versions Dec 18, 2015
LICENSE Update license year for 2016 Jan 4, 2016
README.md Add note about changelog Dec 31, 2015
index.js Use Standard.js linting Dec 18, 2015
package.json 1.0.0 Dec 18, 2015

README.md

"Don't infer the MIME type" middleware

Build Status js-standard-style

Looking for a changelog?

Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript. There are some other vulnerabilities, too.

This middleware to keep Chrome, Opera, and IE from doing this sniffing (and Firefox soon). The following example sets the X-Content-Type-Options header to its only option, nosniff:

var nosniff = require('dont-sniff-mimetype')
app.use(nosniff())

MSDN has a good description of how browsers behave when this header is sent.