include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

In Express.js application the code is sensitive if the https://www.npmjs.com/package/dont-sniff-mimetype[dont-sniff-mimetype] middleware is not used:

----
const express = require('express');

let app = express(); // Sensitive

app.get('/images/picture.png', function (req, res) {
  res.type('image');
  res.sendFile( __dirname + '/images/picture.png');
});
----

== Compliant Solution

In Express.js application a standard way to instruct browsers to not perform MIME types sniffing is with the https://www.npmjs.com/package/dont-sniff-mimetype[dont-sniff-mimetype] middleware. Note that when using https://expressjs.com/en/4x/api.html#express.static[express.static] X-Content-Type-Options header is automatically set to <code>nosniff</code>:

----
const express = require('express');
const dontSniffMimetype = require('dont-sniff-mimetype');

let app1 = express();
app1.use(dontSniffMimetype()); // Compliant
app1.get('/images/picture.png', function (req, res) {
  res.type('image');
  res.sendFile( __dirname + '/images/picture.png');
});

let app2 = express();
app2.use(express.static('images_repository'));  // Compliant, static resources inside images_repository folder are served with X-Content-Type-Options HTTP header set to nosniff
----

include::../see.adoc[]