Gathering detailed insights and metrics for @hint/hint-content-type
Gathering detailed insights and metrics for @hint/hint-content-type
Installations
npm install @hint/hint-content-typeDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Node Version
18.19.1
NPM Version
10.5.0
Releases
954
Dist files
dist
Updated on Oct 01, 2019
configuration-development-v6.1.1
configuration-development-v6.1.1
Updated on Mar 07, 2019
hint-sri-v3.0.5
hint-sri-v3.0.5
Updated on Mar 07, 2019
hint-no-vulnerable-javascript-libraries-v2.7.0
hint-no-vulnerable-javascript-libraries-v2.7.0
Updated on Mar 07, 2019
hint-css-prefix-order-v1.0.2
hint-css-prefix-order-v1.0.2
Updated on Mar 07, 2019
hint-amp-validator-v2.7.0
hint-amp-validator-v2.7.0
Updated on Mar 07, 2019
Languages
8
TypeScript
JavaScript
CSS
Handlebars
EJS
HTML
Batchfile
Shell
TypeScript (91.49%)
JavaScript (4.96%)
CSS (2.22%)
Handlebars (0.76%)
EJS (0.5%)
HTML (0.06%)
Batchfile (0.01%)
Shell (0.01%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
Apache-2.0 License
3,653 Stars
6,372 Commits
743 Forks
75 Watchers
157 Branches
105 Contributors
Updated on Jul 11, 2025
Maintainers
5
Package Meta Information
Latest Version
4.2.27
Package Id
@hint/hint-content-type@4.2.27
Unpacked Size
39.92 kB
Size
11.92 kB
File Count
13
NPM Version
10.5.0
Node Version
18.19.1
Published on
Aug 29, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
7
Peer Dependencies
1
Correct Content-Type header (content-type)
content-type warns against not serving resources with the
Content-Type HTTP response header with a value containing
the appropriate media type and charset for the response.
Why is this important?
Even though browsers sometimes ignore the value of
the Content-Type header and try to sniff the content (see also: X-Content-Type-Options hint),
it’s indicated to always send the appropriate media type and
charset for the response as, among other:
-
the media type defines both the data format and how that data is intended to be processed by browsers
-
not sending the appropriate
charset, where appropriate, may prevent things from being rendered correctly thus creating a bad user experience (see also:meta-charset-utf-8hint) -
javascript resources served with the wrong media type may be blocked
What does the hint check?
The hint checks if responses include the Content-Type HTTP response
header and its value contains the appropriate media type and charset
for the response.
A note about application/javascript
This hint recommends using a Content-Type of text/javascript for
JavaScript resources as noted in the HTML standard.
However this hint also allows application/javascript because that
value was previously recommended by the IETF in RFC 4329.
RFC 4329 has an active draft proposed to also
recommend text/javascript in the future.
See the section
Can the hint be configured below for an
example of how to require a specific Content-Type value for
JavaScript resources if desired.
Examples that trigger the hint
Content-Type response header is not sent:
1HTTP/... 200 OK 2 3...
Content-Type response header is sent with an invalid value:
1HTTP/... 200 OK 2 3... 4Content-Type: invalid
1HTTP/... 200 OK 2 3... 4Content-Type: text/html;;;
Content-Type response header is sent with the wrong media type:
For /example.png
1HTTP/... 200 OK 2 3... 4Content-Type: font/woff2
Content-Type response header is sent with an unofficial media type:
For /example.js
1HTTP/... 200 OK 2 3... 4Content-Type: application/x-javascript; charset=utf-8
Content-Type response header is sent without the charset parameter
for response that should have it:
For /example.html
1HTTP/... 200 OK 2 3... 4Content-Type: text/html
Examples that pass the hint
For /example.png
1HTTP/... 200 OK 2 3... 4Content-Type: image/png
For /example.js
1HTTP/... 200 OK 2 3... 4Content-Type: text/javascript; charset=utf-8
How to configure the server to pass this hint
How to configure Apache
By default Apache maps certain filename extensions to specific media types, but depending on the Apache version that is used, some mappings may be outdated or missing.
Fortunately, Apache provides a way to overwrite and add to the existing
media types mappings using the AddType directive. For
example, to configure Apache to serve .webmanifest files with the
application/manifest+json media type, the following can be used:
1<IfModule mod_mime.c> 2 AddType application/manifest+json webmanifest 3</IfModule>
The same goes for mapping certain filename extensions to specific
charsets, which can be done using the AddDefaultCharset
and AddCharset directives.
If you don't want to start from scratch, below is a generic starter
snippet that contains the necessary mappings to ensure that commonly
used file types are served with the appropriate Content-Type response
header, and thus, make your web site/app pass this hint.
1# Serve resources with the proper media types (f.k.a. MIME types). 2# https://www.iana.org/assignments/media-types/media-types.xhtml 3 4<IfModule mod_mime.c> 5 6 # Data interchange 7 8 # 2.2.x+ 9 10 AddType text/xml xml 11 12 # 2.2.x - 2.4.x 13 14 AddType application/json json 15 AddType application/rss+xml rss 16 17 # 2.4.x+ 18 19 AddType application/json map 20 21 # JavaScript 22 23 # 2.2.x+ 24 25 # See: https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages. 26 AddType text/javascript js mjs 27 28 29 # Manifest files 30 31 # 2.2.x+ 32 33 AddType application/manifest+json webmanifest 34 AddType text/cache-manifest appcache 35 36 37 # Media files 38 39 # 2.2.x - 2.4.x 40 41 AddType audio/mp4 f4a f4b m4a 42 AddType audio/ogg oga ogg spx 43 AddType video/mp4 mp4 mp4v mpg4 44 AddType video/ogg ogv 45 AddType video/webm webm 46 AddType video/x-flv flv 47 48 # 2.2.x+ 49 50 AddType image/svg+xml svgz 51 AddType image/x-icon cur 52 53 # 2.4.x+ 54 55 AddType image/webp webp 56 57 58 # Web fonts 59 60 # 2.2.x - 2.4.x 61 62 AddType application/vnd.ms-fontobject eot 63 64 # 2.2.x+ 65 66 AddType font/woff woff 67 AddType font/woff2 woff2 68 AddType font/ttf ttf 69 AddType font/collection ttc 70 AddType font/otf otf 71 72 73 # Other 74 75 # 2.2.x+ 76 77 AddType text/vtt vtt 78 79</IfModule> 80 81# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82 83# Serve all resources labeled as `text/html` or `text/plain` 84# with the media type `charset` parameter set to `utf-8`. 85# 86# https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset 87 88AddDefaultCharset utf-8 89 90# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 91 92# Serve the following file types with the media type `charset` 93# parameter set to `utf-8`. 94# 95# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset 96 97<IfModule mod_mime.c> 98 AddCharset utf-8 .appcache \ 99 .atom \ 100 .css \ 101 .js \ 102 .json \ 103 .manifest \ 104 .map \ 105 .mjs \ 106 .rdf \ 107 .rss \ 108 .vtt \ 109 .webmanifest \ 110 .xml 111</IfModule>
Note that:
-
The above snippet works with Apache
v2.2.0+, but you need to havemod_mimeenabled in order for it to take effect. -
If you have access to the main Apache configuration file (usually called
httpd.conf), you should add the logic in, for example, a<Directory>section in that file. This is usually the recommended way as using.htaccessfiles slows down Apache!If you don't have access to the main configuration file (quite common with hosting services), add the snippets in a
.htaccessfile in the root of the web site/app.
For the complete set of configurations, not just for this rule, see the Apache server configuration related documentation.
How to configure IIS
By default IIS maps certain filename extensions to specific media types, but depending on the IIS version that is used, some mappings may be outdated or missing.
Fortunately, IIS provides a way to overwrite and add to the existing
media types mappings using the <mimeMap> element under .webmanifest files with the
application/manifest+json media type, the following can be used:
1<staticContent> 2 <mimeMap fileExtension="webmanifest" mimeType="application/manifest+json"/> 3</staticContent>
The same element can be used to specify the charset. Continuing with
the example above, if we want to use utf-8 it should be as follows:
1<staticContent> 2 <mimeMap fileExtension="webmanifest" mimeType="application/manifest+json; charset=utf-8"/> 3</staticContent>
If you don't want to start from scratch, below is a generic starter
snippet that contains the necessary mappings to ensure that commonly
used file types are served with the appropriate Content-Type response
header, and thus, make your web site/app pass this hint.
Note: the remove element is used to make sure we don't use IIS defaults
for the given extension.
1<configuration> 2 <system.webServer> 3 <staticContent> 4 <!-- IIS doesn't set the charset automatically, so we have to override some 5 of the predefined ones --> 6 7 <!-- Data interchange --> 8 <mimeMap fileExtension=".json" mimeType="application/json; charset=utf-8"/> 9 <mimeMap fileExtension=".map" mimeType="application/json; charset=utf-8"/> 10 <mimeMap fileExtension=".rss" mimeType="application/rss+xml; charset=utf-8"/> 11 <mimeMap fileExtension=".xml" mimeType="text/xml; charset=utf-8"/> 12 13 <!-- JavaScript --> 14 <!-- https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages --> 15 <mimeMap fileExtension=".js" mimeType="text/javascript; charset=utf-8"/> 16 <mimeMap fileExtension=".mjs" mimeType="text/javascript; charset=utf-8"/> 17 18 <!-- Manifest files --> 19 <mimeMap fileExtension=".appcache" mimeType="text/cache-manifest; charset=utf-8"/> 20 <mimeMap fileExtension=".webmanifest" mimeType="application/manifest+json; charset=utf-8"/> 21 22 <!-- Media files --> 23 <mimeMap fileExtension=".f4a" mimeType="audio/mp4"/> 24 <mimeMap fileExtension=".f4b" mimeType="audio/mp4"/> 25 <mimeMap fileExtension=".m4a" mimeType="audio/mp4"/> 26 <mimeMap fileExtension=".oga" mimeType="audio/ogg"/> 27 <mimeMap fileExtension=".ogg" mimeType="audio/ogg"/> 28 <mimeMap fileExtension=".spx" mimeType="audio/ogg"/> 29 30 <mimeMap fileExtension=".mp4" mimeType="video/mp4"/> 31 <mimeMap fileExtension=".mp4v" mimeType="video/mp4"/> 32 <mimeMap fileExtension=".mpg4" mimeType="video/mp4"/> 33 <mimeMap fileExtension=".ogv" mimeType="video/ogg"/> 34 <mimeMap fileExtension=".webm" mimeType="video/webm"/> 35 <mimeMap fileExtension=".flv" mimeType="video/x-flv"/> 36 37 <mimeMap fileExtension=".cur" mimeType="image/x-icon"/> 38 <mimeMap fileExtension=".ico" mimeType="image/x-icon"/> 39 <mimeMap fileExtension=".svg" mimeType="image/svg+xml; charset=utf-8"/> 40 <mimeMap fileExtension=".svgz" mimeType="image/svg+xml"/> 41 <mimeMap fileExtension=".webp" mimeType="image/webp"/> 42 43 44 <!-- Font files --> 45 <mimeMap fileExtension=".eot" mimeType="application/vnd.ms-fontobject"/> 46 <mimeMap fileExtension=".otf" mimeType="font/otf"/> 47 <mimeMap fileExtension=".ttc" mimeType="font/collection"/> 48 <mimeMap fileExtension=".ttf" mimeType="font/ttf"/> 49 <mimeMap fileExtension=".woff" mimeType="font/woff"/> 50 <mimeMap fileExtension=".woff2" mimeType="font/woff2"/> 51 52 <!-- Others --> 53 <mimeMap fileExtension=".css" mimeType="text/css; charset=utf-8"/> 54 <mimeMap fileExtension=".html" mimeType="text/html; charset=utf-8" /> 55 <mimeMap fileExtension=".txt" mimeType="text/plain; charset=utf-8" /> 56 <mimeMap fileExtension=".vtt" mimeType="text/vtt; charset=utf-8"/> 57 </staticContent> 58 59 <!-- This is needed only if you are serving .svgz images --> 60 <outboundRules> 61 <rule name="svgz-content-enconding" enabled="true"> 62 <match serverVariable="RESPONSE_Content_Encoding" pattern=".*" /> 63 <conditions> 64 <add input="{REQUEST_Filename}" pattern="\.svgz$" /> 65 </conditions> 66 <action type="Rewrite" value="gzip" /> 67 </rule> 68 </outboundRules> 69 </system.webServer> 70</configuration>
Note that:
- The above snippet works with IIS 7+.
- You should use the above snippet in the
web.configof your application.
For the complete set of configurations, not just for this rule, see the IIS server configuration related documentation.
Can the hint be configured?
You can overwrite the defaults by specifying custom values for the
Content-Type header and the regular expressions that match the URLs
for which those values should be required.
<regex>: <content_type_value>
E.g. The following hint configuration will make webhint require
that all resources requested from a URL that matches the regular
expression .*\.js be served with a Content-Type header with the
value of application/javascript; charset=utf-8.
In the .hintrc file:
1{ 2 "connector": {...}, 3 "formatters": [...], 4 "hints": { 5 "content-type": ["error", { 6 ".*\\.js": "application/javascript; charset=utf-8" 7 }], 8 ... 9 }, 10 ... 11}
Note: You can also use the ignoredUrls
property from the .hintrc file to exclude domains you don’t control
(e.g.: CDNs) from these checks.
How to use this hint?
This package is installed automatically by webhint:
1npm install hint --save-dev
To use it, activate it via the .hintrc configuration file:
1{ 2 "connector": {...}, 3 "formatters": [...], 4 "hints": { 5 "content-type": "error", 6 ... 7 }, 8 "parsers": [...], 9 ... 10}
Note: The recommended way of running webhint is as a devDependency of
your project.
Further Reading
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE.txt:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.txt:0
Reason
no binaries found in the repo
Reason
Found 4/23 approved changesets -- score normalized to 1
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/3rdparty.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/3rdparty.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/webhintio/hint/3rdparty.yml/main?enable=pin
- Info: 0 out of 1 GitHub-owned GitHubAction dependencies pinned
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact dist not signed: https://api.github.com/repos/webhintio/hint/releases/20378720
- Warn: release artifact parser-javascript-v2.1.0 not signed: https://api.github.com/repos/webhintio/hint/releases/15983643
- Warn: release artifact dist does not have provenance: https://api.github.com/repos/webhintio/hint/releases/20378720
- Warn: release artifact parser-javascript-v2.1.0 does not have provenance: https://api.github.com/repos/webhintio/hint/releases/15983643
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 25 are checked with a SAST tool
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
64 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-r5fx-8r73-v86c
- Warn: Project is vulnerable to: GHSA-28hp-fgcr-2r4h
- Warn: Project is vulnerable to: GHSA-89mq-4x47-5v83
- Warn: Project is vulnerable to: GHSA-5cp4-xmrw-59wf
- Warn: Project is vulnerable to: GHSA-mhp6-pxh8-r675
- Warn: Project is vulnerable to: GHSA-2qqx-w9hr-q5gx
- Warn: Project is vulnerable to: GHSA-2vrf-hf26-jrp5
- Warn: Project is vulnerable to: GHSA-4w4v-5hc9-xrr2
- Warn: Project is vulnerable to: GHSA-j58c-ww9w-pwp5
- Warn: Project is vulnerable to: GHSA-m9gf-397r-hwpg
- Warn: Project is vulnerable to: GHSA-mqm9-c95h-x2p6
- Warn: Project is vulnerable to: GHSA-prc3-vjfx-vhm9
- Warn: Project is vulnerable to: GHSA-qwqh-hm9m-p5hr
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-8gh8-hqwg-xf34
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-hhhv-q57g-882q
- Warn: Project is vulnerable to: GHSA-rmxg-73gg-4p98
- Warn: Project is vulnerable to: GHSA-6c3j-c64m-qhgq
- Warn: Project is vulnerable to: GHSA-gxr4-xjj5-5px2
- Warn: Project is vulnerable to: GHSA-jpcq-cgw6-v4j6
- Warn: Project is vulnerable to: GHSA-8cf7-32gw-wr33
- Warn: Project is vulnerable to: GHSA-hjrf-2m68-5959
- Warn: Project is vulnerable to: GHSA-qwph-4952-7xr6
- Warn: Project is vulnerable to: GHSA-vcjj-xf2r-mwvc
- Warn: Project is vulnerable to: GHSA-6vfc-qv3f-vr6c
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6
- Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-hwj9-h5mp-3pm3
- Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
Score
2.6
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More