Low Security Header

X-Download-Options

Learn how to prevent automatic file downloads in Internet Explorer.

SiteSecurityScore Team·6 min read·Updated Feb 20, 2026

X-Download-Options is a security header originally designed for Internet Explorer that prevents the browser from opening downloaded files directly in the browser context. While primarily a legacy header, it remains a recommended security best practice as part of a comprehensive security header strategy. Setting this header ensures that users must explicitly save and open files rather than having them execute automatically.

What is X-Download-Options?#

X-Download-Options is a Microsoft-specific HTTP response header that controls how Internet Explorer handles file downloads. When set to 'noopen', it removes the 'Open' option from the IE download dialog, forcing users to save files to disk before opening them. This prevents files from executing directly in the security context of your website.

Key Concept

When Internet Explorer downloads a file and offers 'Open' directly, that file can execute with the permissions of your web application's origin. By removing this option, you force a save-then-open workflow that runs the file outside your site's security context.

The Open vs Save Security Risk#

The core vulnerability addressed by X-Download-Options relates to how Internet Explorer handles the 'Open' action for downloaded files. When a user clicks 'Open' on a downloaded HTML or JavaScript file, IE may execute it in the context of the originating website, giving the file access to cookies, session tokens, and other sensitive data.

Files opened directly can access your website's cookies and session storage
HTML files may execute inline JavaScript with your domain's permissions
Attackers can craft files that perform actions on behalf of the authenticated user
The save-then-open workflow breaks this chain by removing the origin context

Attack Scenario

An attacker could trick a user into downloading a crafted HTML file from your site. If the user clicks 'Open' instead of 'Save', the file executes with access to all cookies and data for your domain, enabling session hijacking or data theft.

Implementation Guide#

Implementing X-Download-Options is straightforward as it only has one valid value. Apply this header across all your server responses for consistent protection.

Configuration

# Apache (.htaccess or httpd.conf)
Header always set X-Download-Options "noopen"

# Nginx
add_header X-Download-Options "noopen" always;

# Node.js / Express
app.use((req, res, next) => {
  res.setHeader('X-Download-Options', 'noopen');
  next();
});

# IIS (web.config)
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Download-Options" value="noopen" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Modern Browser Considerations#

While Internet Explorer is now end-of-life and most users have migrated to modern browsers, X-Download-Options remains relevant in several contexts. Many security scanning tools and compliance frameworks still check for this header, and it costs nothing to implement.

Enterprise environments may still run legacy IE-based applications
Security auditing tools flag missing X-Download-Options as a finding
The header has no negative impact on modern browsers (they simply ignore it)
Including it demonstrates a thorough approach to security header configuration
Compliance frameworks like PCI DSS may require all recommended security headers

Best Practices#

Follow these recommendations to make the most of X-Download-Options as part of your overall security header strategy.

Always include X-Download-Options: noopen alongside other security headers
Combine with Content-Disposition headers for proper download handling
Use X-Content-Type-Options: nosniff to prevent MIME sniffing of downloaded content
Apply Content-Security-Policy to control script execution as a defense in depth measure
Set the header on all responses, not just file download endpoints

Security Header Bundles

X-Download-Options works best as part of a complete set of security headers. Consider implementing it alongside X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy for comprehensive protection.