How X-Content-Type-Options Works

1 min read Web Security Fundamentals

How X-Content-Type-Options Works

The X-Content-Type-Options header accepts a single directive:

X-Content-Type-Options: nosniff

This directive instructs browsers to strictly follow the Content-Type header provided by the server, disabling any content sniffing behavior. When browsers encounter this header, they:

  1. Block requests if the Content-Type doesn't match the expected type
  2. Prevent script execution if files aren't served with JavaScript MIME types
  3. Block stylesheet application if files lack proper CSS MIME types
  4. Refuse to render images with incorrect MIME types in certain contexts