Google issued a security update to Chrome and asked web developers to serve a nosniff response header to help prevent hacks via web browsers. This issue is important if you are an SEO, a web developer, web designer or site publisher.
Why the Security Update Matters
The attacks (Spectre & Meltdown) exploits vulnerabilities in a visitor’s device to steal sensitive information like passwords. This presents a user experience issue.
What the Chrome Update Does
Chrome updated to version 67. It introduces a feature that was previously in beta called, Site Isolation. Site Isolation is a method to prevent an attack on a site visitor’s browser.
According to Chrome’s developer page:
“Site Isolation is a security feature in Chrome that offers additional protection against some types of security bugs. It makes it harder for untrustworthy websites to access or steal information from your accounts on other websites.
…Site Isolation offers a second line of defense to make such attacks less likely to succeed. It ensures that pages from different websites are always put into different processes, each running in a sandbox that limits what the process is allowed to do. It will also make it possible to block the process from receiving certain types of sensitive data from other sites. As a result, a malicious website will find it more difficult to steal data from other sites, even if it can break some of the rules in its own process.”
What Google Wants You to Do
There are two things Google’s Chrome team asks developers and publishers to do in order to help Chrome’s Site Isolation feature work more efficiently.
1. Check that resources are served with correct “Content-Type” response headers
2. And that resources are served with a nosniff response header
Here’s what Google’s developer page states:
For HTML, JSON, and XML resources:
Make sure these resources are served with a correct “Content-Type” response header from the list below, as well as a “X-Content-Type-Options: nosniff” response header. These headers ensure Chrome can identify the resources as needing protection, without depending on the contents of the resources.
- HTML MIME type – “text/html”
- XML MIME type – “text/xml”, “application/xml”, or any MIME type whose subtype ends in “+xml”
- JSON MIME type – “text/json”, “application/json”, or any MIME type whose subtype ends in “+json”
Nosniff Response Header
The nosniff response header is a way to keep a website more secure.
Security researcher Scott Helme describes it like this:
“It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.”
Chrome 67 now has an automated process to protect users from the Spectre and Meltdown attacks. However Google is recommending that web developers not rely on this automatic process but to make it clear with the nosniff response header:
“…when the “nosniff” header is not present, Chrome first looks at the start of the file to try to confirm whether it is HTML, XML, or JSON, before deciding whether to protect it. If it cannot confirm this, it allows the response to be received by the cross-site page’s process. This is a best-effort approach which adds some limited protection while preserving compatibility with existing sites. We recommend that web developers include the “nosniff” header to protect their resources, to avoid relying on this “confirmation sniffing” approach.”
How to Add Nosniff Response Header
The first thing to do is check your security headers. SecurityHeaders.com is a free and easy to use tool that scans websites to see if they’re missing security related headers.
Should you need to implement a nosniff response header, one way is to use htaccess.
Htaccess code for nosniff response header:
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
</IfModule>
How to Add Nosniff Response Header on WordPress
If you’re on WordPress, there are two plugins that can be used to add several important security headers, including the nosniff header. The first one, with 3,000+ installs is called, Security Headers. This is an easy to use plugin with minimal settings that does one thing and does it well.
The second plugin is called, HTTP Headers to Improve Security with 1,000+ installs. This plugin contains more features for hardening your security, including setting a CSP (Content-Security-Policy) header, which helps prevent cross site scripting and clickjacking.
The third plugin has 6,000+ installations, is easy to use and is comprehensive. It is called, HTTP Headers. This plugin strikes a balance between ease of use and comprehensiveness. Use your own judgment and choose what is appropriate for you.
Warning: I tend to use plugins that have the most installations and the highest ratings. But high installations do not guarantee that a plugin will be without issues and bugs. Always use caution when installing plugins.
Note: If you are using W3 Total Cache, be sure to empty your cache after updating the settings on a plugin. Otherwise the settings may not take effect.
Takeaway: Security Response Headers are Important
Even if Google Chrome was not asking publishers to add the nosniff response header, it is still a good idea to add that and other security response headers to a site.
Read Google’s security blog post, Mitigating Spectre with Site Isolation in Chrome
Images by Shutterstock, Modified by Author
