How do I make my CSS and JS files send HTTP response header

Question

We did a penetration testing on a web app created in Laravel 4. One of the findings is "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'". The PHP code below sends the HTTP header for the sniffing issue,

header('X-Content-Type-Options: nosniff');

Our second penetration testing showed the same findings for CSS and JS files. How do I get my CSS and JS files to send the same header? Or is there a way for me to have all files requesed send the HTTP header.

What type of server is it run on? Apache/Nginx? For example, in Nginx you could do something like: add_header X-Content-Type-Options "nosniff";. — Darren
We are running Apache. I've checked out one resource on the web, which recommended a script on .htaccess. this worked — Jaime Dolor jr.
Was going to say this is the way to go (via the server) as you wouldn't be able to do it from within PHP. — Darren

Jaime Dolor jr. Jaime Dolor jr. · Accepted Answer · 2017-02-27T03:26:51

I've checked out this resource, https://kb.sucuri.net/warnings/hardening/headers-x-content-type. Following the instructions, I added the following codes on .htaccess

<IfModule mod_headers.c>
    Header set X-Content-Type-Options nosniff
</IfModule>

On Chrome Tools > Network, all CSS and JS files send the header

How do I make my CSS and JS files send HTTP response header

1 Answers