Home/ Glossary/ X-Download-Options

X-Download-Options (X-Download-Options)

Security Glossary - Security Headers

Definition: X-Download-Options is a Microsoft-specific header with a single value: noopen. It prevents Internet Explorer from directly opening downloaded files in the browser context of the originating site, forcing users to save files before opening them. This prevents downloaded HTML or script files from executing with your site's cookies and permissions.

The Importance of X-Download-Options

In older versions of Internet Explorer, when a user downloaded a file and chose 'Open' instead of 'Save', the file could execute in the security context of the originating site. This meant a malicious file served from your domain could access your cookies and make requests as the authenticated user.

X-Download-Options: noopen removes the 'Open' option from IE's download dialog, forcing users to save first. This breaks the security context association and prevents the attack. While this is primarily an IE-specific issue, the header is harmless for other browsers.

With IE nearing complete retirement, this header is decreasing in relevance. However, enterprise environments still use IE, and the header is trivial to implement. Security scanners still check for it, and including it satisfies compliance requirements at zero cost.

How to Test for X-Download-Options

A security audit checks for the X-Download-Options header. Set it to "noopen" on all responses, especially those that serve downloadable files. This is a single-line server configuration change.

Run a Security Audit

X-Download-Options FAQ

Is X-Download-Options relevant for modern browsers?
It primarily affects Internet Explorer. Modern browsers handle downloads differently and are not vulnerable to this specific attack. However, setting it is harmless and satisfies security scanner requirements.
Should I set this on all responses or just downloads?
Setting it on all responses is simplest and harmless. If you prefer precision, set it on responses that include Content-Disposition: attachment headers (file downloads).

Related Concepts

Security Headers Overview X-Content-Type-Options X-Frame-Options X-XSS-Protection Content Security Policy
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.