Skip to main content
Vantyris

Headers

X-Content-Type-Options: nosniff. The one-line defensive header.

Published 2026-06-16 · Last updated 2026-06-16 · Vantyris editorial

X-Content-Type-Options is the smallest entry in the defensive-headers set: a single response header with a single allowed value (`nosniff`). It tells the browser to trust the Content-Type your server declares rather than trying to sniff the file's actual contents to guess what it is. Without it, a server that mistakenly returns a .txt file as `text/html` (or worse, a JSON endpoint that an attacker can squeeze HTML into) can execute as a script. With it, the browser refuses to. It's not the most exciting fix, but it's the cheapest.

What this means for your business

How to fix

Add a single header to every response: `X-Content-Type-Options: nosniff`. Most web hosts have a 'security headers' setting that includes it as a default.

  1. Check whether the header is already set. Open DevTools → Network → click any request to your site → Response Headers. Look for `x-content-type-options: nosniff`. If present, you're done. If not, add it.
  2. Add it at your web host or CDN. Apache: `Header always set X-Content-Type-Options nosniff`. Nginx: `add_header X-Content-Type-Options nosniff always;`. Next.js: in `next.config.mjs` headers function. Cloudflare: Rules → Transform Rules → Modify Response Header → add the header.
  3. Verify in DevTools after deploy. Reload, check Response Headers again. The header should now appear.

Owner: Your web host or developer. · Time: 5 minutes.

Common gotchas

How to verify the fix

Vantyris's verified scan checks for the header in the Web hygiene category. Or use securityheaders.com which grades the full defensive header set.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Does nosniff affect search engine crawling?

No. Search crawlers respect Content-Type headers anyway; they don't sniff. The header is invisible to them in practice.

Are there any modern attacks that nosniff actually blocks?

Yes — most notably file-upload XSS. An attacker uploads a 'png' file that's actually HTML, and your site serves it back with the original Content-Type or a generic one. Without nosniff, the browser might render it as HTML and run the embedded scripts. With nosniff, the browser refuses to.

Should I also set X-Download-Options?

That's an old IE-specific header that's effectively defunct. Modern security cheatsheets dropped it years ago. Don't bother.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0