# Mime Sniffing Analyzer PRO

Category Severity Time To Fix
🛡️ Security Major 5 minutes

Class: Enlightn\EnlightnPro\Analyzers\Security\MimeSniffingAnalyzer

# Introduction

This analyzer detects whether your application sets the X-Content-Type-Options header. This header tells browsers to not ignore explicitly defined content types and helps prevent MIME sniffing attacks.

In a MIME sniffing attack, an attacker disguises an HTML file as a different file type and uploads the file to the web server. Consequently, the browser will render it as an HTML file therefore providing the attacker with the possibility to execute XSS.

# How To Fix

To fix this issue, you may set the X-Content-Type-Options header on your web server.

For Nginx, you may use the add_header directive in your server or location block:

add_header X-Content-Type-Options "nosniff";

For Apache, you may use the Header directive in your <VirtualHost>, <Directory> or <Location> container:

Header set X-Content-Type-Options "nosniff"

# Skip Condition

This analyzer is skipped for stateless apps (e.g. API only).

# References