A detailed description
The X-Content-Type-Options HTTP message header is equivalent to a prompt flag, which is used by the server to prompt the client to follow the setting of the MIME type in the Content-Type header and not modify it. This disables the MIME type sniffing behavior on the client side, which in other words means that the webmaster is sure his setup is fine.
The absence of the X-Content-Type-Options response header makes the target URL more vulnerable to cross-site scripting attacks.
Solution
Configure your server to send an "X-Content-Type-Options" header with a value of "nosniff" on all outgoing requests. For Apache see:
http://httpd.apache.org/docs/2.2/mod/mod_headers.html
For IIS see:
https://technet.microsoft.com/pl-pl/library/cc753133%28v =ws.10%29.aspx
For nginx see:
http://nginx.org/en/docs/http/ngx_http_headers_module.html
Apache's solution
Reference:
https://stackoverflow.com/questions/21322295/how-can-i-add-x-content-type-options-nosniff-to-all-the-response-headers-from find configuration file
LoadModule headers_module modules/mod_headers.so
Add the following content to the .htaccess file in the root directory of the project:
# Extra Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
</IfModule>
IIS solution
The operation method is as follows:
After the setting is completed, there is no need to restart the service, and it will take effect immediately.
Calibration method
Browser F12, view the network request, as follows:
