lighthouse-security icon indicating copy to clipboard operation
lighthouse-security copied to clipboard

Published 20 hours ago verified publisher icon voorhoede

Add X-Content-Type-Options audit

Open jbmoelker opened this issue 7 years ago • 1 comments

See:

  • https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

jbmoelker avatar Aug 13 '17 11:08 jbmoelker

@markomalis should we use the RequestHeaders gatherer and just test for the header on the document or should we use the devtoolsLogs gatherer and check all HTTP requests made by the page?

MDN notes:

nosniff only applies to "script" and "style" types. Also applying nosniff to images turned out to be incompatible with existing web sites.

Is that something we should also check for?

jbmoelker avatar Aug 13 '17 11:08 jbmoelker