HTTP security header
Content-Disposition
The Content-Disposition header can instruct the browser to download a response as an attachment rather than rendering it inline. For user-supplied or untrusted files, forcing download (with a safe filename) reduces the risk of the browser interpreting the content as HTML or script.
Example
Content-Disposition: attachment; filename="report.pdf"Configuration guidance
- Serve untrusted downloads as attachments, not inline.
- Sanitize filenames and pair with X-Content-Type-Options: nosniff.
Helps mitigate
Related headers
Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.
Test my app