What it is
X-Content-Type-Options is an HTTP response header. When set to nosniff, it tells the browser not to MIME-sniff the response. The browser uses the Content-Type header you send instead of guessing from content.
Why it matters
Without nosniff, a browser might treat a response as a different type (e.g. HTML or script) and execute it, which can lead to XSS or unexpected behavior. nosniff is a simple, high-impact header for static and dynamic responses.
How it is exploited
A user uploads a file named avatar.jpg that actually contains HTML and JavaScript. When another user views /uploads/avatar.jpg, the browser sniffs the bytes, decides it looks like HTML, and runs the script in your origin. The payload steals the viewer's session cookie even though your server set Content-Type to image/jpeg.
How to fix it
- Add the header. Send X-Content-Type-Options: nosniff on every response. This is a single, fixed value; no configuration needed beyond adding the header.
- Set in server or app. Add the header in your web server config or application middleware so it is sent for HTML, API, and asset responses.
- Verify. Run Barrion's X-Content-Type-Options check or inspect response headers to confirm the header is present.
Examples by platform
Nginx
add_header X-Content-Type-Options "nosniff" always;Apache
Header always set X-Content-Type-Options "nosniff"How to verify the fix
Confirm the X-Content-Type-Options header is present in HTTPS responses:
curl -sI https://example.com | grep -i x-content-type-options