X-Content-Type-Options is an HTTP security header with a single valid value:nosniff. It instructs the browser to strictly honour theContent-Type header returned by the server and never attempt to guess (or "sniff") the MIME type of a response. This closes a category of attack known as MIME confusion or MIME sniffing attacks.
What Is MIME Sniffing?
MIME type sniffing is a browser behaviour inherited from the early web, when servers frequently sent incorrect or missing Content-Type headers. To be helpful, browsers would inspect the first few bytes of a response (the "magic bytes") and try to determine what kind of content it actually was — regardless of what the server declared.
For example, if a server sent a file with Content-Type: text/plain but the file began with valid JavaScript, some browsers would execute it as a script anyway. Similarly, a file declared as an image but containing HTML might be rendered as a web page.
This behaviour was designed to compensate for misconfigured servers, but it created a significant security vulnerability that attackers can deliberately exploit.
X-Content-Type-Options: nosniffHow MIME Confusion Attacks Work
Consider a web application that allows users to upload files, such as profile pictures. The server restricts uploads to image extensions (.jpg, .png) and serves them from a subdomain withContent-Type: image/jpeg.
An attacker uploads a file named avatar.jpg that actually contains JavaScript code. The server obediently serves it as image/jpeg. Without nosniff, a vulnerable browser may detect the JavaScript content during sniffing and execute it when the image URL is visited directly or referenced from the application context — effectively running the attacker's script with the privileges of your domain.
This attack becomes especially powerful when the malicious file is served from the same origin as the application, bypassing Content Security Policy restrictions on cross-origin scripts.
What nosniff Actually Does
When the browser receives a response with X-Content-Type-Options: nosniff, it applies the following rules:
- Scripts: A resource will only be executed as a script if the
Content-Typeis a JavaScript MIME type (such astext/javascriptorapplication/javascript). Any other content type is rejected. - Stylesheets: A resource is only applied as CSS if the
Content-Typeistext/css. - Other resources: Images, fonts, and other resources use the declared type without fallback sniffing.
In practical terms: if you serve a JavaScript file with the wrong content type and havenosniff enabled, the script will fail to load rather than being sniffed and executed. This forces developers to serve content with correct MIME types — which is also good practice regardless of security.
The Only Valid Value Is nosniff
Unlike headers such as X-Frame-Options which have multiple values, theX-Content-Type-Options header has exactly one defined value: nosniff. Any other value is invalid and treated as if the header were absent by all browsers. The header has no directives, no parameters, and no exceptions.
Browser Behaviour Without the Header
Without X-Content-Type-Options: nosniff, browser behaviour varies by vendor and version:
- Older Internet Explorer was the most aggressive sniffer and is the origin of many MIME confusion vulnerabilities in older applications.
- Modern Chrome and Firefox have significantly reduced sniffing for scripts and stylesheets in recent versions, but the behaviour is not guaranteed and can vary with document mode and fetch destination.
- Downloadable content may still be sniffed to determine the appropriate application to open it with, even in modern browsers.
The header is universally supported, costs nothing to add, and removes an entire class of uncertainty from your security posture.
How to Set X-Content-Type-Options
Nginx
add_header X-Content-Type-Options "nosniff" always;Apache
Header always set X-Content-Type-Options "nosniff"Impact on Legitimate Content Types
Enabling nosniff requires that all your resources are served with the correctContent-Type headers. If you are currently relying on browser sniffing to compensate for misconfigured content types, you may see errors after enabling the header. Common issues include:
- JavaScript files served as
text/plaininstead oftext/javascript. - CSS files served as
text/htmlor missing a content type. - JSON responses served without a JSON MIME type.
The correct fix is to update your server or application to return the right content types — not to omit nosniff. Most modern web frameworks set correct content types automatically.
How to Verify the Header
Check the header using any of these methods:
- ShowDNS HTTP Header Checker — enter your URL and check the response headers list.
- ShowDNS Security Headers Scanner — gives you a full audit including whether
nosniffis present. - Browser DevTools (F12) → Network tab → select the document → Response Headers.
- Command line:
curl -I https://yourdomain.comand look for the header in the output.
Frequently Asked Questions
Does nosniff affect image or font loading?
For subresource fetches with a destination of "image" or "font", browsers do not enforce MIME type checking via nosniff in the same strict way they do for scripts and stylesheets. The main enforcement targets are JavaScript and CSS, which are the highest-risk resource types. Images and fonts served with incorrect MIME types may still load, but browser behaviour can vary.
Is nosniff included in the OWASP Top 10 recommendations?
Yes. OWASP lists incorrect content type configuration as a contributing factor to injection vulnerabilities, and X-Content-Type-Options: nosniff is a standard mitigation recommended in OWASP security hardening guides.
Does this header help with file download security?
Partially. For files served with a Content-Disposition: attachment header, the browser downloads the file rather than rendering it. nosniff adds an extra layer by ensuring the download handler uses the declared MIME type rather than sniffing the content, which can influence which application opens the file.