SecPrep logoSecPrep

What does the response header `X-Content-Type-Options: nosniff` do?

  • 1Forces the connection to use HTTPS
  • 2Stops the browser MIME-sniffing away from the declared Content-Type✓ correct
  • 3Prevents the page from being framed (clickjacking)
  • 4Enables cross-origin resource sharing

  • Without nosniff, some browsers try to 'helpfully' guess the content type from the file's contents rather than trusting the server's Content-Type header. An attacker could upload a file with a .jpg extension that actually contains JavaScript; the browser might execute it as a script. X-Content-Type-Options: nosniff tells the browser: 'trust my Content-Type header, do not sniff.' — HSTS forces HTTPS; X-Frame-Options/CSP frame-ancestors block framing (clickjacking); CORS is a separate access-control mechanism.

It stops the browser from MIME-sniffing a response away from its declared Content-Type.

References

Practice this in the app →