Parameter:
DOMINO_X_CONTENT_TYPE_OPTIONSShort description: Sets the
X-Content-Type-Options header (typically nosniff) – prevents MIME-type sniffing by browsers.Profile
Parameter | DOMINO_X_CONTENT_TYPE_OPTIONS |
Category | HTTP / Web |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | Web Site / Internet Site document |
Possible values | typically nosniff (any other value is virtually never useful) |
Description
With
DOMINO_X_CONTENT_TYPE_OPTIONS, the HTTP task writes the X-Content-Type-Options security header into every response. The value nosniff tells browsers to strictly respect the content type reported by the server and not to perform their own content-type detection ("MIME sniffing"). This prevents a class of attacks in which, for example, a file declared as an image is executed by the browser as a script.Example configuration
DOMINO_X_CONTENT_TYPE_OPTIONS=nosniff
Notes & pitfalls
- Takes effect only after
restart task http.
- The header should be set practically everywhere – omitting it significantly worsens the rating in security scanners (Observatory, securityheaders.com).
- Make sure that all delivered content has a correct
Content-Type– otherwise browsers may reject it.
- Applies globally; can be overridden per site via Web Site Rule documents.