X-Download-Options

Downloaded files opened directly in the browser can execute scripts with access to the hosting site's security context. The X-Download-Options unofficial response header prevents this by removing the "Open" option from the download dialog.

Table of Contents

Usage

Some browsers present the user with "Open", "Save", and "Cancel" options when downloading a file from a web application. Selecting "Open" runs the file directly within the browser, giving the downloaded content access to the site's security context. A downloaded HTML file opened this way executes scripts with access to the originating domain's Cookies and Session data, bypassing the Same Origin Policy.

The X-Download-Options header removes the "Open" option from the download dialog, leaving only "Save" and "Cancel". This forces the user to save the file to disk before opening, which runs the content in a local context instead of the domain context. The header was originally introduced in Internet Explorer 8 as a defense against HTML injection attacks where a malicious file uploaded to a trusted domain executes scripts under the domain's privileges.

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.

Legacy

This header was designed for Internet Explorer and is recognized by IE8 and later versions. Modern browsers like Chrome, Firefox, and Safari do not implement this header. Many servers still send the header as a defense-in-depth measure alongside other security headers.

Directives

noopen

The noopen directive is the only valid value for this header. When present, the browser suppresses the "Open" option in the download dialog, requiring users to save downloaded files before opening them.

Example

The noopen value removes the "Open" button from the download dialog. Without this header, a user clicking "Open" on a downloaded HTML file runs the file within the browser using the security context of the originating site. With noopen, the user is required to save the file to disk first, which runs the file in a local context with no access to the originating domain's cookies or session data.

X-Download-Options: noopen

This header is commonly paired with other security headers in a response. Together, they form a layered defense against content injection and cross-site attacks.

X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

See also

Last updated: April 4, 2026