Content/MIME Sniffing Protection
Protect your Umbraco site from MIME sniffing vulnerabilities using security headers like X-Content-Type-Options.
Checks that your site contains a header used to protect against Multipurpose Internet Mail Extensions (MIME) sniffing vulnerabilities.
How to fix this health check
This health check can be fixed by adding a header before the response is started.
Preferable you use a security library like NWebSec.
Adding Content/MIME Sniffing Protection using NWebSec
If you take a NuGet dependency on NWebsec.AspNetCore.Middleware/, you can use third extension methods on WebApplication
.
...
WebApplication app = builder.Build();
app.UseXContentTypeOptions();
...
Adding Content/MIME Sniffing Protection using manual middleware
If you do not like to have a dependency on third party libraries, you can add the following custom middleware to the request pipeline.
First create the middleware class:
namespace MySite.Middleware;
public class NoSniffMiddleware : IMiddleware
{
public async Task InvokeAsync(HttpContext context, RequestDelegate next)
{
context.Response.Headers.Append("X-Content-Type-Options", "nosniff");
await next(context);
}
}
Next register it in Program.cs
using MySite.Middleware;
WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
builder.Services.AddSingleton<NoSniffMiddleware>();
builder.CreateUmbracoBuilder()
.AddBackOffice()
.AddWebsite()
.AddDeliveryApi()
.AddComposers()
.Build();
WebApplication app = builder.Build();
app.UseMiddleware<NoSniffMiddleware>();
await app.BootUmbracoAsync();
...