ASVS Requirement 3.4.4

• Level: 2
• Chapter: V3 Web Frontend Security
• Section: V3.4 Browser Security Mechanism Headers
• Source: 0x12-V3-Web-Frontend-Security.md

Description

Verify that all HTTP responses contain an 'X-Content-Type-Options: nosniff' header field. This instructs browsers not to use content sniffing and MIME type guessing for the given response, and to require the response's Content-Type header field value to match the destination resource. For example, the response to a request for a style is only accepted if the response's Content-Type is 'text/css'. This also enables the use of the Cross-Origin Read Blocking (CORB) functionality by the browser.