How do I add X-Content-Type-Options: nosniff to files served by Fastly?


#1

We generally serve files with X-Content-Type-Options: nosniff to prevent IE from doing something inappropriate (and possibly exploitable) with the content.

However we noticed our Fastly CDN served files do not have this header.

How can we add this header?


#2

OK I found this

https://docs.fastly.com/guides/tutorials/adding-or-modifying-headers-on-http-requests-and-responses

And I think this is correct?

Type: Response, Set
Destination: http.X-Content-Type-Options
Source: “nosniff”

Anyway, the goal is to get this header set in responses:

X-Content-Type-Options: nosniff

#3

Yes, that is correct.


#4

Thanks! I can confirm that I now see the proper header via curl -I so this seems correct!


#5

Great!

Just as a note when you check for the headers, you’ll want to stay away from curl -I, as that’s a Head request. On Head requests, we don’t cluster, and when we don’t cluster, the cache nodes act individually. As a result, you may see intermittent behavior. Instead, we recommend you use curl -svo /dev/null <url>.