class Helmet::NoSniffHandler

Overview

Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript. There are some other vulnerabilities, too.

Luckily, browsers listen for a header called X-Content-Type-Options. If it's set to the value of nosniff, these browsers won't do this mimetype sniffing. (MSDN has a good description of how browsers behave when they receive this header.)

Example usage:

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::NoSniffHandler.new,
  # ...
])

Included Modules

Defined in:

helmet/nosniffhandler.cr

Instance Method Summary

Instance Method Detail

def call(context : HTTP::Server::Context) #

[View source]