X-Content-Type-Options: nosniff Explained

Jul 16, 2026
Updated Jul 16, 2026 Security Headers x-content-type-options nosniff mime sniffing header x-content-type-options nosniff

The X-Content-Type-Options HTTP response header, with its single value nosniff, tells the browser to trust the declared Content-Type of a response and not to guess (sniff) it. This blocks a class of attacks where a file served as one type is reinterpreted by the browser as another — for example a user-uploaded "image" being executed as JavaScript or HTML.

What is the X-Content-Type-Options header?

To be helpful, browsers historically tried to detect a file's real type by inspecting its contents, overriding the Content-Type the server sent. That MIME-sniffing is a security hole: if an attacker can upload a file that looks like a script, a browser might run it even though the server labelled it as plain text or an image. Setting X-Content-Type-Options: nosniff disables the guessing — the browser uses exactly the type the server declared, nothing else.

The only value: nosniff

X-Content-Type-Options: nosniff

There is just one valid value. With nosniff set, the browser also enforces that scripts and stylesheets are only executed when served with a correct MIME type (text/javascript, text/css), which stops content mislabelled as those types from running.

Why it matters

  • Blocks drive-by execution of uploads. A file the server serves as text/plain cannot be sniffed into text/html and executed with an injected script.
  • Hardens sites that host user content. Anywhere users can upload files, nosniff reduces the risk of those files being treated as active content.
  • Cheap and safe. It has essentially no downside for correctly configured sites, so it belongs on every response.

How to check X-Content-Type-Options

Confirm whether a site sends X-Content-Type-Options: nosniff with the free HTTP headers checker, or review it alongside every other protection in the security headers guide.

Common mistakes

  • Serving assets with the wrong Content-Type. With nosniff on, a script sent as text/plain will refuse to run — which is the point, but it means your server must label assets correctly.
  • Setting it on some responses only. Apply it site-wide; a single unprotected upload path is enough to be exploited.

Related security headers

nosniff is one of the low-cost baseline headers, alongside X-Frame-Options and Referrer-Policy, that complement the heavier Content-Security-Policy.

Frequently asked questions

What does nosniff actually do?

It stops the browser from second-guessing a response's Content-Type. The browser uses the server's declared type, so a file cannot be reinterpreted into executable content.

Are there other values besides nosniff?

No. nosniff is the only defined value for X-Content-Type-Options.

Can nosniff break my site?

Only if your server mislabels assets — for example serving JavaScript as text/plain. Fixing the Content-Type of your assets resolves it, and correctly configured sites see no issues.

Scan for these vulnerabilities

Secably automatically detects the issues discussed in this article.

Start Free Scan