Gathering detailed insights and metrics for @hint/hint-x-content-type-options
Gathering detailed insights and metrics for @hint/hint-x-content-type-options
💡 A hinting engine for the web
Installations
npm install @hint/hint-x-content-type-optionsDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Node Version
18.19.1
NPM Version
10.5.0
Releases
954
Dist files
dist
Updated on Oct 01, 2019
configuration-development-v6.1.1
configuration-development-v6.1.1
Updated on Mar 07, 2019
hint-sri-v3.0.5
hint-sri-v3.0.5
Updated on Mar 07, 2019
hint-no-vulnerable-javascript-libraries-v2.7.0
hint-no-vulnerable-javascript-libraries-v2.7.0
Updated on Mar 07, 2019
hint-css-prefix-order-v1.0.2
hint-css-prefix-order-v1.0.2
Updated on Mar 07, 2019
hint-amp-validator-v2.7.0
hint-amp-validator-v2.7.0
Updated on Mar 07, 2019
Languages
8
TypeScript
JavaScript
CSS
Handlebars
EJS
HTML
Batchfile
Shell
TypeScript (91.49%)
JavaScript (4.96%)
CSS (2.22%)
Handlebars (0.76%)
EJS (0.5%)
HTML (0.06%)
Batchfile (0.01%)
Shell (0.01%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
Apache-2.0 License
3,653 Stars
6,372 Commits
743 Forks
75 Watchers
157 Branches
105 Contributors
Updated on Jul 11, 2025
Maintainers
5
Package Meta Information
Latest Version
4.0.23
Package Id
@hint/hint-x-content-type-options@4.0.23
Unpacked Size
141.08 kB
Size
45.67 kB
File Count
17
NPM Version
10.5.0
Node Version
18.19.1
Published on
Aug 29, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
5
Peer Dependencies
1
Use X-Content-Type-Options header (x-content-type-options)
x-content-type-options requires that all resources are
served with the X-Content-Type-Options: nosniff
HTTP response header.
Why is this important?
Sometimes the metadata browsers need to know how to interpret the
content of a resource is either incorrect, not reliable, or absent.
In those cases, browsers use contextual clues that inspect the bytes
of the response to detect the file format. This is known as MIME
sniffing and it is done regardless of the specified
Content-Type HTTP header sent by servers.
For example, if a browser requests a script, but that script is served
with an incorrect media type (e.g. x/x), the browser will still detect
the script and execute it.
While content sniffing can be beneficial, it can also expose the web site/app to attacks based on MIME-type confusion leading to security problems, especially in the case of servers hosting untrusted content.
Fortunately, browsers provide a way to opt-out of MIME sniffing by
using the X-Content-Type-Options: nosniff HTTP response header.
Going back to the previous example, if the X-Content-Type-Options: nosniff
header is sent for the script and the browser detects that it’s a script
and it wasn’t served with one of the JavaScript media types, the script will be blocked.
While modern browsers respect the header mainly for scripts and stylesheets, Chromium uses this response header on other resources for Cross-Origin Read Blocking.
What does the hint check?
The hint checks if all resources are served with the
X-Content-Type-Options HTTP headers with the value of nosniff.
Examples that trigger the hint
Resource is not served with the
X-Content-Type-Options HTTP header.
1HTTP/... 200 OK 2 3... 4 5Content-Type: image/png
Script is served with the X-Content-Type-Options HTTP header
with the invalid value of no-sniff.
1HTTP/... 200 OK 2 3... 4Content-Type: text/javascript; charset=utf-8 5X-Content-Type-Options: no-sniff
Examples that pass the hint
Script is served with the X-Content-Type-Options HTTP header
with the valid value of nosniff.
1HTTP/... 200 OK 2 3... 4Content-Type: text/javascript; charset=utf-8 5X-Content-Type-Options: nosniff
How to configure the server to pass this hint
How to configure Apache
Apache can be configured to add headers using the Header
directive.
1<IfModule mod_headers.c>
2 Header always set X-Content-Type-Options nosniff
3</IfModule>Note that:
-
The above snippet works with Apache
v2.2.0+, but you need to havemod_headersenabled for it to take effect. -
If you have access to the main Apache configuration file (usually called
httpd.conf), you should add the logic in, for example, a<Directory>section in that file. This is usually the recommended way as using.htaccessfiles slows down Apache!If you don't have access to the main configuration file (quite common with hosting services), add the snippets in a
.htaccessfile in the root of the web site/app.
For the complete set of configurations, not just for this rule, see the Apache server configuration related documentation.
How to configure IIS
You can add this header unconditionally to all responses.
1<configuration> 2 <system.webServer> 3 <httpProtocol> 4 <customHeaders> 5 <add name="X-Content-Type-Options" value="nosniff" /> 6 </customHeaders> 7 </httpProtocol> 8 </system.webServer> 9</configuration>
Note that:
- The above snippet works with IIS 7+.
- You should use the above snippet in the
web.configof your application.
For the complete set of configurations, not just for this rule, see the IIS server configuration related documentation.
How to use this hint?
This package is installed automatically by webhint:
1npm install hint --save-dev
To use it, activate it via the .hintrc configuration file:
1{ 2 "connector": {...}, 3 "formatters": [...], 4 "hints": { 5 "x-content-type-options": "error", 6 ... 7 }, 8 "parsers": [...], 9 ... 10}
Note: The recommended way of running webhint is as a devDependency of
your project.
Further Reading
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE.txt:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.txt:0
Reason
no binaries found in the repo
Reason
Found 4/23 approved changesets -- score normalized to 1
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/3rdparty.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/3rdparty.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/webhintio/hint/3rdparty.yml/main?enable=pin
- Info: 0 out of 1 GitHub-owned GitHubAction dependencies pinned
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact dist not signed: https://api.github.com/repos/webhintio/hint/releases/20378720
- Warn: release artifact parser-javascript-v2.1.0 not signed: https://api.github.com/repos/webhintio/hint/releases/15983643
- Warn: release artifact dist does not have provenance: https://api.github.com/repos/webhintio/hint/releases/20378720
- Warn: release artifact parser-javascript-v2.1.0 does not have provenance: https://api.github.com/repos/webhintio/hint/releases/15983643
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 25 are checked with a SAST tool
Reason
64 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-r5fx-8r73-v86c
- Warn: Project is vulnerable to: GHSA-28hp-fgcr-2r4h
- Warn: Project is vulnerable to: GHSA-89mq-4x47-5v83
- Warn: Project is vulnerable to: GHSA-5cp4-xmrw-59wf
- Warn: Project is vulnerable to: GHSA-mhp6-pxh8-r675
- Warn: Project is vulnerable to: GHSA-2qqx-w9hr-q5gx
- Warn: Project is vulnerable to: GHSA-2vrf-hf26-jrp5
- Warn: Project is vulnerable to: GHSA-4w4v-5hc9-xrr2
- Warn: Project is vulnerable to: GHSA-j58c-ww9w-pwp5
- Warn: Project is vulnerable to: GHSA-m9gf-397r-hwpg
- Warn: Project is vulnerable to: GHSA-mqm9-c95h-x2p6
- Warn: Project is vulnerable to: GHSA-prc3-vjfx-vhm9
- Warn: Project is vulnerable to: GHSA-qwqh-hm9m-p5hr
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-8gh8-hqwg-xf34
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-hhhv-q57g-882q
- Warn: Project is vulnerable to: GHSA-rmxg-73gg-4p98
- Warn: Project is vulnerable to: GHSA-6c3j-c64m-qhgq
- Warn: Project is vulnerable to: GHSA-gxr4-xjj5-5px2
- Warn: Project is vulnerable to: GHSA-jpcq-cgw6-v4j6
- Warn: Project is vulnerable to: GHSA-8cf7-32gw-wr33
- Warn: Project is vulnerable to: GHSA-hjrf-2m68-5959
- Warn: Project is vulnerable to: GHSA-qwph-4952-7xr6
- Warn: Project is vulnerable to: GHSA-vcjj-xf2r-mwvc
- Warn: Project is vulnerable to: GHSA-6vfc-qv3f-vr6c
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6
- Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-hwj9-h5mp-3pm3
- Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
Score
2.6
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More