class Helmet::NoSniffHandler


Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript. There are some other vulnerabilities, too.

Luckily, browsers listen for a header called X-Content-Type-Options. If it's set to the value of nosniff, these browsers won't do this mimetype sniffing. (MSDN has a good description of how browsers behave when they receive this header.)

Example usage:

server ="", 8080, [,
  # ...

Defined in:


Instance Method Summary

Instance Method Detail

def call(context : HTTP::Server::Context) #

[View source]