IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. HTTP Security Headers
  3. X-Content-Type-Options

HTTP security header

X-Content-Type-Options

Setting X-Content-Type-Options: nosniff prevents browsers from guessing (sniffing) a response's content type, forcing them to honor the declared Content-Type. This blocks attacks where a file served as one type is interpreted as executable script, a common vector for stored-XSS via uploads.

Example

X-Content-Type-Options: nosniff

Configuration guidance

  • Send nosniff on all responses, especially user-uploaded content.
  • Pair with correct, explicit Content-Type headers.

Helps mitigate

Cross-Site Scripting (XSS)

Related headers

Content-Security-PolicyContent-Disposition
MDN: X-Content-Type-Options

Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.

Test my app
← All security headers
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub