Headers
X-Content-Type-Options: nosniff. The one-line defensive header.
Published 2026-06-16 · Last updated 2026-06-16 · Vantyris editorial
X-Content-Type-Options is the smallest entry in the defensive-headers set: a single response header with a single allowed value (`nosniff`). It tells the browser to trust the Content-Type your server declares rather than trying to sniff the file's actual contents to guess what it is. Without it, a server that mistakenly returns a .txt file as `text/html` (or worse, a JSON endpoint that an attacker can squeeze HTML into) can execute as a script. With it, the browser refuses to. It's not the most exciting fix, but it's the cheapest.
What this means for your business
- Historically, browsers would 'sniff' a file's actual content if the server's declared Content-Type seemed wrong or generic. This was helpful for badly-configured servers but became an attack vector: an attacker who could upload a file that contained HTML to a site that served it back with a generic Content-Type could get the browser to render it as HTML and execute scripts.
- X-Content-Type-Options: nosniff tells the browser to trust the server's declared Content-Type without trying to guess. A file the server says is `image/png` will be loaded as an image; if it happens to contain HTML, the browser ignores that and renders nothing.
- Modern browsers default to less-aggressive sniffing than they used to, but explicit nosniff is still the recommended security baseline. It costs nothing and shouldn't break anything that wasn't already broken.
How to fix
Add a single header to every response: `X-Content-Type-Options: nosniff`. Most web hosts have a 'security headers' setting that includes it as a default.
- Check whether the header is already set. Open DevTools → Network → click any request to your site → Response Headers. Look for `x-content-type-options: nosniff`. If present, you're done. If not, add it.
- Add it at your web host or CDN. Apache: `Header always set X-Content-Type-Options nosniff`. Nginx: `add_header X-Content-Type-Options nosniff always;`. Next.js: in `next.config.mjs` headers function. Cloudflare: Rules → Transform Rules → Modify Response Header → add the header.
- Verify in DevTools after deploy. Reload, check Response Headers again. The header should now appear.
Owner: Your web host or developer. · Time: 5 minutes.
Common gotchas
- If your site serves user-uploaded files (avatars, document uploads, etc.) with a Content-Type the browser doesn't recognise, nosniff causes the browser to download them rather than try to render them. That's usually what you want for security; it might surprise users expecting a preview.
- If you also serve a separate static-asset domain (cdn.yourdomain.com), add the header there too. Headers don't propagate across origins.
- Some legacy IE-targeted code relied on MIME sniffing to render content. If your site has a 2010-era jQuery plugin doing weird things with iframe contentTypes, test before assuming nosniff is safe. Almost no modern site has this problem.
How to verify the fix
Vantyris's verified scan checks for the header in the Web hygiene category. Or use securityheaders.com which grades the full defensive header set.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Does nosniff affect search engine crawling?
No. Search crawlers respect Content-Type headers anyway; they don't sniff. The header is invisible to them in practice.
Are there any modern attacks that nosniff actually blocks?
Yes — most notably file-upload XSS. An attacker uploads a 'png' file that's actually HTML, and your site serves it back with the original Content-Type or a generic one. Without nosniff, the browser might render it as HTML and run the embedded scripts. With nosniff, the browser refuses to.
Should I also set X-Download-Options?
That's an old IE-specific header that's effectively defunct. Modern security cheatsheets dropped it years ago. Don't bother.
References
Related explainers
- Content Security Policy: the header that stops most XSS attacks dead.
- X-Frame-Options and frame-ancestors: the anti-clickjacking header.
- SameSite + Secure cookies: the two attributes every session cookie needs.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0