Learn

X-Content-Type-Options: nosniff in 5 minutes

One header, one value, no excuses. nosniff stops the browser from guessing your content types into a security bug.

What it is

X-Content-Type-Options is an HTTP response header. When set to nosniff, it tells the browser to use the declared Content-Type and not to MIME-sniff (guess the type from content), which can prevent misinterpretation of responses.

Why it matters

Browsers that MIME-sniff may treat a response as executable (e.g. script or HTML) when it was intended as data, leading to XSS or unexpected execution. nosniff is a simple, recommended header for all responses.

How Barrion checks it

Barrion checks for X-Content-Type-Options: nosniff on your responses. We report when the header is missing or not set to nosniff. Passive header inspection only.

Configuration examples

Nginx: set nosniff on all responses
add_header X-Content-Type-Options "nosniff" always;
Apache: set nosniff on all responses
Header always set X-Content-Type-Options "nosniff"

Verify it

curl -sI https://example.com | grep -i x-content-type-options
Run this check →Fix guide

Related