Part 7 of the series "EU Web Security: 10 Steps to a Better Rating"
X-Content-Type-Options
The Problem
Browsers sometimes try to "guess" a file's type — regardless of the Content-Type header. An image that actually contains JavaScript? The browser executes it. This is called MIME sniffing, and it is a gateway for injection attacks.
The Solution
X-Content-Type-Options: nosniff
One header, one value. The browser only accepts files with the declared MIME type.
Adoption: 27.7%. Nearly three quarters of EU websites are vulnerable to MIME confusion attacks.
How to Set It Up
Nginx:
add_header X-Content-Type-Options "nosniff" always;
Apache:
Header always set X-Content-Type-Options "nosniff"
There is only one valid value (nosniff), no configuration, no side effects. No reason not to set it.
Referrer-Policy
The Problem
When a user clicks an external link on your website, the browser sends the full URL of the originating page as the Referrer header by default. This can leak sensitive information:
https://your-domain.com/dashboard?user=12345&token=abchttps://your-domain.com/admin/reports/confidential-audithttps://your-domain.com/search?q=medical+symptoms
The operator of the target site sees the complete URL — including query parameters, paths, and session tokens.
The Solution
Referrer-Policy: strict-origin-when-cross-origin
With this policy, the browser sends:
- When navigating to another domain: only the origin (https://your-domain.com), no paths
- Within your own domain: the full URL (useful for analytics)
- On HTTPS-to-HTTP downgrade: nothing
Adoption: 13.1%.
How to Set It Up
Nginx:
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Apache:
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Alternative Policies
| Policy | Behaviour | Recommendation |
|---|---|---|
no-referrer |
Never send referrer | Too strict (breaks analytics) |
origin |
Always send origin only | Good, but loses internal paths |
strict-origin-when-cross-origin |
Origin cross-domain, full internally | Recommended |
same-origin |
Full internally, nothing externally | Good for sensitive applications |
Both Together: The Nginx Snippet
# Security headers — copy-paste ready
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Four headers, four lines. In your Nginx configuration or an include file. Combined with Parts 1-3 of this series, they cover the six most important security headers.
Check Your Headers
Next week in Part 8: CAA Records — which certificate authority is allowed to issue certificates for your domain?