X-Content-Type-Options
Response header Security

Overview

X-Content-Type-Options: nosniff is a security header that turns off the browser's habit of inspecting a response's actual bytes and guessing its Content-Type (MIME sniffing). It makes the browser trust the server-declared Content-Type verbatim.

The only valid value is nosniff.

Details

For backward compatibility browsers historically inferred a type from the content bytes when they judged the Content-Type inaccurate. That sniffing is an attack surface: for instance, if a user-uploaded file served as an image or text hides HTML/JS, sniffing can interpret it as text/html and execute the script.

With nosniff the browser trusts the declared type. In particular, it refuses to execute a script whose MIME type isn't a JavaScript type, and refuses to apply a stylesheet that isn't text/css. This blocks attacks that abuse mistyped resources as scripts or styles.

Attaching nosniff together with an accurate Content-Type on every response serving user content (uploads, CDN assets, API JSON) is standard hardening.

Syntax

X-Content-Type-Options: nosniff

e.g. X-Content-Type-Options: nosniff

Directives / values

nosniffDisables MIME sniffing so the browser trusts the declared Content-Type as-is.

Notes

Related headers

Related status codes

Specification