Episode 80 - MIME Sniffing

The Backend Engineering Show with Hussein Nasser - A podcast by Hussein Nasser

Categories:

Any content served through HTTP “should” include meta data about its type. This is so the browser/client knows what to do with the content it receives. For example, if the content type header is an image the browser will preview it, if it is HTML it will render the markup and execute any javascript code. Content type however is optional and web masters sometimes don’t set it, which leave the browsers wondering about the content type it is consuming. So browsers had to implement parsing and “sniffing” techniques to detect the type of content when a content type header was not served. However, this caused security problems and attacks that we explain in this video! So to prevent sniffing, web servers can return X-Content-Type-Options: nosniff which opts out browsers from sniffing the content. Media type: https://en.wikipedia.org/wiki/Media_type#Common_examples Cheers! Hussein Nasser