Server Configuration Examples
Server Configuration Examples
Apache Configuration
# Global configuration
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
# Type-specific configuration
<FilesMatch "\.(js|mjs)$">
Header set Content-Type "application/javascript"
Header set X-Content-Type-Options "nosniff"
</FilesMatch>
<FilesMatch "\.css$">
Header set Content-Type "text/css"
Header set X-Content-Type-Options "nosniff"
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|webp|svg)$">
Header set X-Content-Type-Options "nosniff"
</FilesMatch>
# Ensure correct MIME types
AddType application/javascript .js .mjs
AddType text/css .css
AddType application/json .json
AddType application/xml .xml
Nginx Configuration
# Global configuration
add_header X-Content-Type-Options "nosniff" always;
# MIME type configuration
types {
text/html html htm shtml;
text/css css;
application/javascript js mjs;
application/json json;
application/xml xml;
image/jpeg jpeg jpg;
image/png png;
image/svg+xml svg svgz;
application/pdf pdf;
application/font-woff woff;
application/font-woff2 woff2;
}
# Location-specific headers
location ~* \.(js|css|json|xml)$ {
add_header X-Content-Type-Options "nosniff" always;
add_header Cache-Control "public, max-age=31536000";
}
# Prevent serving user uploads as HTML
location /uploads/ {
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Disposition "attachment" always;
# Force download for potentially dangerous types
if ($request_filename ~* \.(html|htm|js|xml|xhtml|svg)$) {
add_header Content-Type "application/octet-stream" always;
}
}