X-Content-Type-Options: nosniff Explained
The X-Content-Type-Options HTTP response header, with its single value nosniff, tells the browser to trust the declared Content-Type of a response and not to guess (sniff) it. This blocks a class of attacks where a file served as one type is reinterpreted by the browser as another — for example a user-uploaded "image" being executed as JavaScript or HTML.
What is the X-Content-Type-Options header?
To be helpful, browsers historically tried to detect a file's real type by inspecting its contents, overriding the Content-Type the server sent. That MIME-sniffing is a security hole: if an attacker can upload a file that looks like a script, a browser might run it even though the server labelled it as plain text or an image. Setting X-Content-Type-Options: nosniff disables the guessing — the browser uses exactly the type the server declared, nothing else.
The only value: nosniff
X-Content-Type-Options: nosniff
There is just one valid value. With nosniff set, the browser also enforces that scripts and stylesheets are only executed when served with a correct MIME type (text/javascript, text/css), which stops content mislabelled as those types from running.
Why it matters
- Blocks drive-by execution of uploads. A file the server serves as
text/plaincannot be sniffed intotext/htmland executed with an injected script. - Hardens sites that host user content. Anywhere users can upload files,
nosniffreduces the risk of those files being treated as active content. - Cheap and safe. It has essentially no downside for correctly configured sites, so it belongs on every response.
How to check X-Content-Type-Options
Confirm whether a site sends X-Content-Type-Options: nosniff with the free HTTP headers checker, or review it alongside every other protection in the security headers guide.
Common mistakes
- Serving assets with the wrong Content-Type. With
nosniffon, a script sent astext/plainwill refuse to run — which is the point, but it means your server must label assets correctly. - Setting it on some responses only. Apply it site-wide; a single unprotected upload path is enough to be exploited.
Related security headers
nosniff is one of the low-cost baseline headers, alongside X-Frame-Options and Referrer-Policy, that complement the heavier Content-Security-Policy.
Frequently asked questions
What does nosniff actually do?
It stops the browser from second-guessing a response's Content-Type. The browser uses the server's declared type, so a file cannot be reinterpreted into executable content.
Are there other values besides nosniff?
No. nosniff is the only defined value for X-Content-Type-Options.
Can nosniff break my site?
Only if your server mislabels assets — for example serving JavaScript as text/plain. Fixing the Content-Type of your assets resolves it, and correctly configured sites see no issues.