Security Headers – X-Content-Type

What is X-Content-Type-Options?

The X-Content-Type-Options is an HTTP header used to avoid having your website compromised by an attacker and increase the security of your website.

It is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.

What is “X-Content-Type-Options: nosniff”?

If you implement this security header, the HTML stylesheet and script elements will reject responses with incorrect MIME types.

How does X-Content-Type-Options work?

This marker informs the browser when the server sends the “X-Content-Type-Options: nosniff” header on its responses.

If the “nosniff” directive is received on a response received by a styleSheet reference, the browser will not load the “stylesheet” file unless the MIME type matches “text/css”.

If the “nosniff” directive is received on a response retrieved by a script reference, Internet Explorer will not load the “script” file unless the MIME type matches one of the following values:

  • “application/ecmascript”
  • “application/javascript”
  • “application/x-javascript”
  • “text/ecmascript”
  • “text/javascript”
  • “text/jscript”
  • “text/x-javascript”
  • “text/vbs”
  • “text/vbscript”

What does it not protect against?

The X-Content-Type-Options: nosniff header does not protect against all sniffing-related vulnerabilities.

This header is only supported by certain browsers (also depends on its versions). For more info, refer to X-Content-Type-Options by Mozilla.

If an unsupported browser accessed an asset which sends back this particular response header, it will not have any effect.

On the other hand, if an extension or plugin such as Flash is used to fetch resources and also does not support this security header, the protection will be voided in such scenario.

How to enable X-Content-Type-Options nosniff header?

It is very easy to enable such security header on your website depending on which web server you’re using.

For Nginx server

For websites using such server, add the following snippet to your .conf file. Once added, save the file and restart your Nginx server.

add_header X-Content-Type-Options "nosniff"

For Apache server

For websites using such server, add the following snippet to your .htaccess file. Once added, save the file and restart your Apache server.

Header set X-Content-Type-Options "nosniff"

Should I implement this security header?

Definitely, it is quite a simple task to do so and it adds an extra layer of security for your website.

Although this security header may not be able to protect against all forms of XSS attacks, it is easy enough to implement with little effort.

For more information, please reference from