HTTP security header
X-Content-Type-Options
Setting X-Content-Type-Options: nosniff prevents browsers from guessing (sniffing) a response's content type, forcing them to honor the declared Content-Type. This blocks attacks where a file served as one type is interpreted as executable script, a common vector for stored-XSS via uploads.
Example
X-Content-Type-Options: nosniffConfiguration guidance
- Send nosniff on all responses, especially user-uploaded content.
- Pair with correct, explicit Content-Type headers.
Helps mitigate
Related headers
Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.
Test my app