X-Content-Type-Options: nosniff tells browsers to trust the declared content type and not guess it. This prevents "MIME sniffing" attacks where a browser mistakenly executes an uploaded file as a script.
Without this header, browsers may ignore your declared Content-Type and infer their own — occasionally treating an image or text file as executable script. The single value nosniff disables that guessing.
Check your website
See how your site handles x-content-type-options: stopping mime sniffing — free, no account needed.
For business owners
This is the simplest security header to add and it never breaks anything for a correctly configured site. It removes a whole class of upload-based attacks and is universally expected on security scans. There is no reason not to set it.
How it works (technical)
The only meaningful value is nosniff: X-Content-Type-Options: nosniff. It stops the browser from MIME-sniffing responses away from their declared Content-Type. This matters most for script and style contexts — a file served as text/plain will not be executed as JavaScript. It also enables Cross-Origin-Read-Blocking protections.
Real-world example
A site let users upload "images". An attacker uploaded a file containing JavaScript with an image extension. Without nosniff, a browser sniffed it as script in a certain context and executed it. Adding X-Content-Type-Options: nosniff forced the browser to honour the declared type and refuse to run it.
Why it matters
It is a zero-risk, one-line hardening step that scanners always check. Missing it is an easy finding to close and there is no compatibility downside.
How to fix it
Add
X-Content-Type-Options: nosniffto every response at the server or CDN.Ensure your server sends correct
Content-Typeheaders for all assets so nosniff does not misclassify them.Re-scan to confirm the header is present.
Best practices
Always send accurate Content-Type headers alongside nosniff.
Apply it globally, not per page.
Common mistakes
Omitting it because it "seems minor".
Serving assets with wrong or missing Content-Type, which nosniff then enforces strictly.
Frequently asked questions
Can nosniff break my site?
Only if your server sends incorrect Content-Type headers. Fix those and nosniff is completely safe.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free