security

X-Content-Type-Options

Disables MIME-type sniffing in browsers, forcing them to trust the declared Content-Type. Blocks a class of attacks where user-uploaded files or HTML masquerading as another type would be executed as script.

X-Content-Type-Options: nosniff

Common directives / values

Directive Purpose
nosniff The only defined value — forbids the browser from guessing the MIME type.
omitted (default) Browser may sniff response bodies and reinterpret the declared Content-Type.

Examples

X-Content-Type-Options: nosniff

Add on every response — no downside, meaningful hardening.

Content-Type: application/json\nX-Content-Type-Options: nosniff

Prevents a JSON body from being treated as HTML/JS if an attacker forces a hyperlink to it.

Content-Type: text/plain\nX-Content-Type-Options: nosniff

Serve user-uploaded content safely — browsers won't render it as HTML.

Content-Type: application/octet-stream\nX-Content-Type-Options: nosniff

Force downloads instead of inline rendering for unknown/unsafe binaries.

Gotcha

With nosniff, a stylesheet served without text/css or a script served without a JavaScript MIME type will be blocked — a common breakage after enabling it, and a signal your server config is wrong.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors