security
X-Content-Type-Options
Disables MIME-type sniffing in browsers, forcing them to trust the declared Content-Type. Blocks a class of attacks where user-uploaded files or HTML masquerading as another type would be executed as script.
X-Content-Type-Options: nosniff Common directives / values
| Directive | Purpose |
|---|---|
| nosniff | The only defined value — forbids the browser from guessing the MIME type. |
| omitted (default) | Browser may sniff response bodies and reinterpret the declared Content-Type. |
Examples
X-Content-Type-Options: nosniff Add on every response — no downside, meaningful hardening.
Content-Type: application/json\nX-Content-Type-Options: nosniff Prevents a JSON body from being treated as HTML/JS if an attacker forces a hyperlink to it.
Content-Type: text/plain\nX-Content-Type-Options: nosniff Serve user-uploaded content safely — browsers won't render it as HTML.
Content-Type: application/octet-stream\nX-Content-Type-Options: nosniff Force downloads instead of inline rendering for unknown/unsafe binaries.
Gotcha
With nosniff, a stylesheet served without text/css or a script served without a JavaScript MIME type will be blocked — a common breakage after enabling it, and a signal your server config is wrong.
Related headers
Content-Type
Declares the media type of the body in both requests and responses, and often carries additional parameters like charset or boundary. Governs how the recipient parses or renders the payload.
Content-Disposition
In responses, controls whether the browser renders the body inline or offers it as a download, and suggests a filename. In multipart/form-data request parts, names the form field and optionally the upload filename.
Content-Security-Policy
Restricts which sources of scripts, styles, images, frames, and other resources a page may load, mitigating XSS and data injection. Policies are a semicolon-separated list of directives, each with a source list ('self', 'none', hostnames, schemes, nonces, or hashes).
X-Frame-Options
Controls whether the page may be rendered inside a <frame>, <iframe>, <embed>, or <object>, defending against clickjacking. Superseded by CSP frame-ancestors but still widely honored for legacy clients.
Strict-Transport-Security
HSTS instructs browsers to only connect over HTTPS for max-age seconds, upgrading any http:// URL and refusing to bypass TLS warnings. Once cached the policy is sticky for the whole duration.