"x-content-type-options: nosniff" only for CSS and JS

laukstein · May 15, 2018, 5:42pm

Two issues:

x-content-type-options setting mustn’t be under Crypto “HSTS” since isn’t releated
Cloudflare must fallow spec and add “x-content-type-options: nosniff” only to JS and CSS, see
Fetch Standard and

‘Note: nosniff only applies to “script” and “style” types. Also applying nosniff to images turned out to be incompatible with existing web sites.’

Even when origin server defines x-content-type-options correctly, Cloudflare still will rewrite it (and add a bug) when “No-Sniff Header” enabled in Crypto > HSTS settings.

sandro · January 4, 2019, 5:44pm

I take the liberty and bump this. IMHO the OP made good points.

zfogg · December 24, 2020, 1:50pm

+1 this was an issue for me too

kpendic · May 9, 2021, 5:40am

+1 - this is very good point. Please correct this CF

Topic		Replies	Views
Is there a way to allow .php files to be used for CSS (text/css MIME type), or disable strict MIME checking? General	2	1618	August 10, 2022
Welcome change in rocket loader but Website, Application, Performance	2	2098	August 11, 2021
Website showing html code instead of web page on Chrome Getting Started dns , bug	6	7968	February 4, 2019
The resource from “https://xyz.com/” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff) Argo	5	10401	June 7, 2022
Vary: Accept-Encoding header Website, Application, Performance	23	7761	February 24, 2020

"x-content-type-options: nosniff" only for CSS and JS

Related topics