X-Download-Options
The HTTP X-Download-Options response header is an unofficial HTTP header instructing the browser to disable the option of opening a downloaded file directly in the context of the hosting site.
Usage
Some browsers present the user with "Open", "Save", and "Cancel" options when downloading a file from a web application. Selecting "Open" runs the file directly within the browser, giving the downloaded content access to the site's security context. A downloaded HTML file opened this way executes scripts with access to the originating domain's Cookies and Session data, bypassing the Same Origin Policy.
The X-Download-Options header removes the "Open" option from the download dialog, leaving only "Save" and "Cancel". This forces the user to save the file to disk before opening, which runs the content in a local context instead of the domain context. The header was originally introduced in Internet Explorer 8 as a defense against HTML injection attacks where a malicious file uploaded to a trusted domain executes scripts under the domain's privileges.
Note
The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.
Legacy
This header was designed for Internet Explorer and is recognized by IE8 and later versions. Modern browsers like Chrome, Firefox, and Safari do not implement this header. Many servers still send the header as a defense-in-depth measure alongside other security headers.
Directives
noopen
The noopen directive is the only valid value for this
header. When present, the browser suppresses the "Open"
option in the download dialog, requiring users to save
downloaded files before opening them.
Example
The noopen value removes the "Open" button from the
download dialog. Without this header, a user clicking
"Open" on a downloaded HTML file runs the file within
the browser using the security context of the
originating site. With noopen, the user is required
to save the file to disk first, which runs the file in
a local context with no access to the originating
domain's cookies or session data.
X-Download-Options: noopen
This header is commonly paired with other security headers in a response. Together, they form a layered defense against content injection and cross-site attacks.
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Takeaway
The X-Download-Options header disables the option of opening downloaded files directly in the browser's site context. Originally an Internet Explorer feature, the header remains widely deployed as a defense-in-depth security measure.