Skip to main content

Security Headers

X-Content-Type-Options: Stopping MIME Sniffing

One header value that prevents a subtle class of attacks.

Quick answer

X-Content-Type-Options: nosniff tells browsers to trust the declared content type and not guess it. This prevents "MIME sniffing" attacks where a browser mistakenly executes an uploaded file as a script.

Without this header, browsers may ignore your declared Content-Type and infer their own — occasionally treating an image or text file as executable script. The single value nosniff disables that guessing.

Check your website

See how your site handles x-content-type-options: stopping mime sniffing — free, no account needed.

For business owners

This is the simplest security header to add and it never breaks anything for a correctly configured site. It removes a whole class of upload-based attacks and is universally expected on security scans. There is no reason not to set it.

How it works (technical)

The only meaningful value is nosniff: X-Content-Type-Options: nosniff. It stops the browser from MIME-sniffing responses away from their declared Content-Type. This matters most for script and style contexts — a file served as text/plain will not be executed as JavaScript. It also enables Cross-Origin-Read-Blocking protections.

Real-world example

A site let users upload "images". An attacker uploaded a file containing JavaScript with an image extension. Without nosniff, a browser sniffed it as script in a certain context and executed it. Adding X-Content-Type-Options: nosniff forced the browser to honour the declared type and refuse to run it.

Why it matters

It is a zero-risk, one-line hardening step that scanners always check. Missing it is an easy finding to close and there is no compatibility downside.

How to fix it

  1. Add X-Content-Type-Options: nosniff to every response at the server or CDN.

  2. Ensure your server sends correct Content-Type headers for all assets so nosniff does not misclassify them.

  3. Re-scan to confirm the header is present.

Best practices

  • Always send accurate Content-Type headers alongside nosniff.

  • Apply it globally, not per page.

Common mistakes

  • Omitting it because it "seems minor".

  • Serving assets with wrong or missing Content-Type, which nosniff then enforces strictly.

Frequently asked questions

Can nosniff break my site?

Only if your server sends incorrect Content-Type headers. Fix those and nosniff is completely safe.

Put this into practice

See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.

Scan your website free

See Pro plans · Create account