search

X-Content Type Options

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME typesarrow-up-right advertised in the Content-Typearrow-up-right headers should be followed and not be changed. The header allows you to avoid MIME type sniffingarrow-up-right by saying that the MIME types are deliberately configured.

This header was introduced by Microsoft in IE 8 as a way for webmasters to block content sniffing that was happening and could transform non-executable MIME types into executable MIME types. Since then, other browsers have introduced it, even if their MIME sniffing algorithms were less aggressive.

Starting with Firefox 72, top-level documents also avoid MIME sniffing (if Content-typearrow-up-right is provided). This can cause HTML web pages to be downloaded instead of being rendered when they are served with a MIME type other than text/html. Make sure to set both headers correctly.

Site security testers usually expect this header to be set.

Note: X-Content-Type-Options only apply request-blocking due to nosniffarrow-up-right for request destinationsarrow-up-right of "script" and "style". However, it also enables Cross-Origin Read Blocking (CORB)arrow-up-right protection for HTML, TXT, JSON and XML files (excluding SVG image/svg+xml).

Header type

Response headerarrow-up-right

Forbidden header namearrow-up-right

no

hashtag
Syntaxarrow-up-right

HTTPCopy to Clipboard

X-Content-Type-Options: nosniff

hashtag
Directivesarrow-up-right

nosniffarrow-up-right

Blocks a request if the request destination is of type style and the MIME type is not text/css, or of type script and the MIME type is not a JavaScript MIME typearrow-up-right.

hashtag
Specificationsarrow-up-right

Specification

Fetch Standard # x-content-type-options-headerarrow-up-right

PreviousHTTP CookiesNextX-Frame Options

Last updated