My apologies if this is a basic question, but here goes:
I'm seeing a confusing issue when setting HTTP headers in my .NET Core website's web.config
In the "customHeaders" element, I've added the "X-Content-Type-Options" header with value "nosniff".
Before this is added the server response shows the "Content-Type" header
However, once the "X-Content-Type" Header is set, no "Content-type" header is returned
Additionally, the site now displays the page source rather than the rendered page/content:
Reading about this I see that setting the "X-Content-Type-Options" header should simply
- Indicate the MIME types in the "Content-Type" headers should be followed and not changed
- Prevent MIME type sniffing
The recommendation on several resources (MDN, OWASP) states both headers should be used together and are expected to be set to pass "site security testing".
Questions
- Could the "page source" response be due to application code at the server stripping or changing the MIME type from "text/html" in the "Content-Type" header?
- Why would setting the "X-Content-Type-Options" cause the server to do this?
What's been tried
- Load site without "X-Content-Type-Options" header, inspect in Chrome DevTools
- Add the "X-Content-Type-Options" header to the "web.config" file, reload the site and compare headers in response
Expectation
- Setting both headers renders page as normal with MIME type sniffing disabled
Sources:
Any advice on this would be appreciated! Thanks.