X-Content-Type-OptionsX-Content-Type-Options: nosniff is a security header that turns off the browser's habit of inspecting a response's actual bytes and guessing its Content-Type (MIME sniffing). It makes the browser trust the server-declared Content-Type verbatim.
The only valid value is nosniff.
For backward compatibility browsers historically inferred a type from the content bytes when they judged the Content-Type inaccurate. That sniffing is an attack surface: for instance, if a user-uploaded file served as an image or text hides HTML/JS, sniffing can interpret it as text/html and execute the script.
With nosniff the browser trusts the declared type. In particular, it refuses to execute a script whose MIME type isn't a JavaScript type, and refuses to apply a stylesheet that isn't text/css. This blocks attacks that abuse mistyped resources as scripts or styles.
Attaching nosniff together with an accurate Content-Type on every response serving user content (uploads, CDN assets, API JSON) is standard hardening.
X-Content-Type-Options: nosniffe.g. X-Content-Type-Options: nosniff
nosniff | Disables MIME sniffing so the browser trusts the declared Content-Type as-is. |