X-Content-Type-Options

The HTTP X-Content-Type-Options response header instructs the browser to respect the declared Content-Type and not perform MIME type sniffing.

Table of Contents

Usage
Values
- nosniff
Example
Takeaway
See also

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers. Despite the prefix, X-Content-Type-Options is registered in the IANA permanent message headers registry and is part of the Fetch Standard. The prefix reflects its origins before formal standardization.

Usage

MIME sniffing is a browser behavior where the browser inspects the content of a response and overrides the declared Content-Type based on patterns found in the response body. While intended as a convenience for misconfigured servers, MIME sniffing opens a security gap: an attacker uploads a file disguised as an image, the browser sniffs the content as HTML or JavaScript, and a cross-site scripting attack executes.

The X-Content-Type-Options header closes this gap. When set to nosniff, the browser strictly follows the Content-Type header and refuses to load resources where the declared type does not match the expected type. For style destinations, the browser blocks the response unless the Content-Type is text/css. For script destinations, the browser blocks the response unless the Content-Type is a valid JavaScript MIME type.

This header is widely deployed as a standard security hardening measure and is recommended alongside Content-Security-Policy and X-Frame-Options for defense-in-depth.

Values

nosniff

The nosniff value is the only defined value. Setting this directive prevents the browser from MIME-sniffing a response away from the declared Content-Type.

Example

A server delivering a JSON API response with MIME sniffing disabled, ensuring the browser treats the response strictly as JSON:

Content-Type: application/json
X-Content-Type-Options: nosniff

A CSS file served with the correct Content-Type and sniffing protection, preventing the browser from reinterpreting the file:

Content-Type: text/css
X-Content-Type-Options: nosniff

Takeaway

The X-Content-Type-Options header prevents browsers from overriding the declared Content-Type through MIME sniffing, blocking a class of attacks where malicious content is disguised as a safe file type.