什么是“X-Content-Type-Options=nosniff"?

问题描述

我正在使用 OWASP ZAP 在我的本地主机上进行一些渗透测试，它一直报告此消息:

I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message:

Anti-MIME-Sniffing 标头 X-Content-Type-Options 未设置为'nosniff'

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

此检查特定于 Internet Explorer 8 和 Google Chrome.确保每个页面都设置了 Content-Type 标头和如果 Content-Type 标头未知，则为 X-CONTENT-TYPE-OPTIONS

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

我不知道这意味着什么，我在网上找不到任何东西.我已经尝试添加:

I have no idea what this means, and I couldn't find anything online. I have tried adding:

<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />

但我仍然收到警报.

设置参数的正确方法是什么?

What is the correct way of setting the parameter?

推荐答案

它可以防止浏览器进行 MIME 类型的嗅探.大多数浏览器现在都尊重此标头，包括 Chrome/Chromium、Edge、IE >= 8.0、Firefox >= 50 和 Opera >= 13.请参阅:

It prevents the browser from doing MIME-type sniffing. Most browsers are now respecting this header, including Chrome/Chromium, Edge, IE >= 8.0, Firefox >= 50 and Opera >= 13. See :

https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx?Redirected=true

发送带有值的新 X-Content-Type-Options 响应标头nosniff 将阻止 Internet Explorer MIME 嗅探响应远离声明的内容类型.

Sending the new X-Content-Type-Options response header with the value nosniff will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type.

哦，那是 HTTP 标头，而不是 HTML 元标记选项.

Oh and, that's an HTTP header, not a HTML meta tag option.

另请参阅:http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx

这篇关于什么是“X-Content-Type-Options=nosniff"?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！