Skip to content

X-Content-Type-Options

Description

The X-Content-Type-Options response header is a security feature that helps protect against MIME type sniffing attacks. When set to nosniff, it instructs browsers to strictly follow the declared content type in the Content-Type header and not attempt to "sniff" or guess the content type based on the actual content.

MIME type sniffing is a browser feature that attempts to determine the correct content type of a resource when the declared Content-Type header is missing or appears incorrect. While this feature was designed to improve user experience, it can be exploited for cross-site scripting (XSS) attacks if an attacker can upload content that contains executable code but is served with a safe content type.

By setting the X-Content-Type-Options header to nosniff, web developers can prevent browsers from interpreting files as a different MIME type than what is specified in the Content-Type header, thus mitigating potential security vulnerabilities.

Syntax

The syntax of the X-Content-Type-Options header is simple:

X-Content-Type-Options: nosniff

Currently, nosniff is the only valid value for this header.

Example Syntax

X-Content-Type-Options: nosniff

Examples

Basic HTML Response Example

A response serving an HTML document with the header:

HTTP/1.1 200 OK
Date: Tue, 03 Jun 2025 01:00:00 GMT
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 234

<!DOCTYPE html>
<html>
<head><title>Protected Page</title></head>
<body><p>This page is protected against MIME sniffing attacks.</p></body>
</html>

JSON API Response Example

A response from a JSON API with the header:

HTTP/1.1 200 OK
Date: Tue, 03 Jun 2025 01:10:30 GMT
Content-Type: application/json
X-Content-Type-Options: nosniff
Content-Length: 42

{"status": "success", "message": "Data retrieved"}

File Download Example

A response serving a file download with the header:

HTTP/1.1 200 OK
Date: Tue, 03 Jun 2025 01:20:45 GMT
Content-Type: application/pdf
Content-Disposition: attachment; filename="document.pdf"
X-Content-Type-Options: nosniff
Content-Length: 24680

[...PDF content...]

In this example, the header ensures that browsers won't try to interpret the PDF file as HTML or JavaScript, even if the file contains content that might look like those formats.

User-Generated Content Example

A response serving user-generated content with the header:

HTTP/1.1 200 OK
Date: Tue, 03 Jun 2025 01:30:15 GMT
Content-Type: text/plain; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'
Content-Length: 156

This is user-generated content that has been properly escaped and is being served with appropriate security headers to prevent XSS attacks.

This example shows the header being used alongside other security headers like Content-Security-Policy to protect against various attack vectors when serving user-generated content.

Summary

The X-Content-Type-Options response header is a simple but effective security measure that prevents browsers from interpreting files as a different MIME type than what is declared in the Content-Type header. By including X-Content-Type-Options: nosniff in HTTP responses, web developers can mitigate MIME type confusion attacks that could potentially lead to cross-site scripting vulnerabilities. This header is particularly important when serving user-uploaded content or when downloading files that might contain executable code. As part of a defense-in-depth strategy, the X-Content-Type-Options header should be used in conjunction with other security headers like Content-Security-Policy and proper content type validation to ensure maximum protection against web-based attacks.