X-Content-Type-Options
The HTTP X-Content-Type-Options response header indicates that the MIME types in the HTTP Content-Type header must be followed as-is, and not changed.
Usage
The HTTP X-Content-Type-Options response header is sent by the server to instruct the client regarding any content-type that is sent as part of the message. It has the effect of avoiding MIME type sniffing, preventing certain types of cross-scripting attacks.
Note
The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and need to be transitioned to formal naming convention for HTTP headers.
The only directive is nosniff, which is used in the following way:
X-Content-Type-Options: nosniff
The nosniff directive will block a HTTP request if the destination is of type style and the MIME type is not text/css. Also, it will block instances of type script where the MIME type is not a valid JavaScript MIME type.
Takeaway
The HTTP The HTTP X-Content-Type-Options response header indicates that the MIME types in the HTTP Content-Type header must be followed as-is, and not changed.
X-Content-Type-Options header is used to inform the client that MIME types listed in the HTTP Content-Type header is to be followed. Because these types are assumed to be deliberately configured, it avoids MIME type sniffing.