X-Content-Type-Options Header Explained

X-Content-Type-Options: nosniff is an HTTP response header that prevents browsers from MIME-type sniffing. Without it, browsers may interpret a file as a different content type than declared, allowing attackers to disguise executable scripts as images or other harmless file types.

Recommended Value

X-Content-Type-Options: nosniff

What Each Directive Does

DirectivePurpose
nosniffThe only valid value — tells the browser to strictly follow the declared Content-Type and never guess

What Happens Without This Header

Without nosniff, an attacker can upload a file with a .jpg extension but containing JavaScript. If the server serves it with the wrong Content-Type or without one, the browser might sniff the actual content and execute it as JavaScript, bypassing XSS protections.

How to Implement

# Nginx
add_header X-Content-Type-Options "nosniff" always;

# Apache
Header always set X-Content-Type-Options "nosniff"

# Express.js
app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  next();
});

Testing and Report-Only

X-Content-Type-Options has no report-only mode. It is safe to deploy immediately since it only enforces correct MIME type handling.

Related Questions

Scan your system prompt with LochBot — free, client-side, no data sent anywhere.

Frequently Asked Questions

What does X-Content-Type-Options: nosniff do?

It tells the browser to trust the Content-Type header sent by the server and never try to guess the file type by inspecting the content. This prevents MIME confusion attacks where scripts are disguised as images or other safe file types.

Is nosniff the only valid value?

Yes. The only valid value for X-Content-Type-Options is nosniff. Any other value is ignored by the browser.

Does X-Content-Type-Options affect performance?

No. It has zero performance impact. The browser simply skips the MIME-sniffing step and trusts the declared Content-Type header, which is actually slightly faster.