X-Content-Type-Options nosniff¶

X-Content-Type-Options is an HTTP response header used to enhance the security of a web application. Its primary purpose is to prevent the browser from interpreting files as a different MIME type than specified, often referred to as MIME-sniffing.^[600-developer-tools-security-strict-transport-security.md]

Usage¶

The standard directive for this header is nosniff.^[600-developer-tools-security-strict-transport-security.md]

Implementation¶

To enable this protection, the server should be configured to send the following header:

js res.setHeader('X-Content-Type-Options', 'nosniff')^[600-developer-tools-security-strict-transport-security.md]

Behavior¶

When the nosniff directive is active, the browser strictly enforces the declared Content-Type. This validation specifically applies to script and style resources:^[600-developer-tools-security-strict-transport-security.md]

• Styles: If a resource's declared Content-Type is not text/css, the browser will block it.
• Scripts: If a resource's declared Content-Type is not a valid JavaScript MIME type, the browser will block it.

Related Concepts¶

• [[Content Security Policy]]
• HTTP Headers
• [[MIME types]]

Sources¶

• 600-developer-tools-security-strict-transport-security.md