Stops browsers from guessing what type of file they've received — a behaviour that can be exploited to make a browser execute a plain text file as JavaScript.
Browsers have a feature called MIME-sniffing: when a server sends a file, the browser sometimes ignores the declared file type and tries to figure out the type itself by inspecting the file's contents. This was designed to handle misconfigured servers, but it creates a security problem.
If an attacker can upload a file to your site — say, a profile picture — they can craft it to look like an image but also contain valid JavaScript. If the browser MIME-sniffs it and decides "this looks like a script," it may execute it, bypassing your other defences.
Setting X-Content-Type-Options: nosniff tells the browser: "Trust the Content-Type header I send. Don't try to be clever and guess."
You receive a package labelled "kitchen utensils." A suspicious delivery agent opens it and decides it looks more like electronics, so they route it to a different department where it causes problems. nosniff instructs the agent: "Read the label. Don't open the package to check."
The browser is free to sniff file types. On sites that allow user uploads (avatars, attachments, documents), a crafted file could potentially be executed as script instead of displayed as content.
X-Content-Type-Options: no-sniff
Hyphen instead of no hyphen — this is a typo. The only valid value is nosniff (one word). An invalid value is ignored by browsers.
X-Content-Type-Options: nosniff
Simple and complete. One directive, one value. The browser will strictly honour your Content-Type declarations.
This is one of the easiest headers to add. It has no configuration options — just set it and forget it.
add_header X-Content-Type-Options "nosniff" always;
Header always set X-Content-Type-Options "nosniff"
Use Transform Rules → Modify Response Header. Add X-Content-Type-Options with value nosniff.
If using the Helmet middleware, this is enabled by default:
const helmet = require('helmet');
app.use(helmet()); // X-Content-Type-Options: nosniff is included
Or set it manually:
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
next();
});