Security5 min read

How to Set the X-Content-Type-Options Header

X-Content-Type-Options: nosniff prevents browsers from guessing content types, blocking MIME-confusion attacks. This guide shows how to add it on all major servers and platforms.

The X-Content-Type-Options header with the value nosniff instructs browsers to honour the declared Content-Type of a response and not attempt to guess (sniff) the content type. This prevents MIME-confusion attacks where an attacker tricks a browser into executing a file as a script by exploiting loose type detection.

The Only Value You Need

http
X-Content-Type-Options: nosniff

nosniff is the only valid value for this header. It is a simple, one-line addition with no configuration needed beyond enabling it.

Always Set the Correct Content-Typenosniff relies on your server sending the correct Content-Type for each resource. If your server sends text/plain for a JavaScript file, the browser will refuse to execute it. Ensure your MIME types are correctly configured alongside this header.

Nginx

nginx
server { listen 443 ssl; server_name example.com; add_header X-Content-Type-Options "nosniff" always; # ... rest of config }
bash
sudo nginx -t && sudo systemctl reload nginx

Apache

apache
<VirtualHost *:443> <IfModule mod_headers.c> Header always set X-Content-Type-Options "nosniff" </IfModule> </VirtualHost>

Or in .htaccess:

apache
<IfModule mod_headers.c> Header always set X-Content-Type-Options "nosniff" </IfModule>
bash
sudo a2enmod headers && sudo systemctl reload apache2

IIS (web.config)

xml
<system.webServer> <httpProtocol> <customHeaders> <add name="X-Content-Type-Options" value="nosniff" /> </customHeaders> </httpProtocol> </system.webServer>

Caddy

Command
example.com { header X-Content-Type-Options "nosniff" # ... rest of config }

Cloudflare (Transform Rules)

  1. Go to Rules → Transform Rules → Modify Response Header.
  2. Add a rule with Operation: Set, Header name: X-Content-Type-Options, Value: nosniff.
  3. Deploy the rule.

Next.js

javascript
// next.config.mjs const nextConfig = { async headers() { return [ { source: '/(.*)', headers: [ { key: 'X-Content-Type-Options', value: 'nosniff' }, ], }, ]; }, }; export default nextConfig;

Verifying the Header

bash
curl -I https://example.com | grep -i x-content-type # Expected: x-content-type-options: nosniff

Or use the ShowDNS Security Headers Scanner.

Related Articles