What is X-Content-Type-Options (nosniff)?
X-Content-Type-Options is a security header with one job: when set to nosniff, it stops the browser from second-guessing the type of a file and running it as something it is not. Roughly 63% of Australian small business websites send no nosniff header at all*:
- The risk it removes — browsers sometimes try to guess whether a file is an image, a stylesheet or a script; an attacker can abuse that guess to make an uploaded file run as code.
- nosniff — the only value it takes; it tells the browser to trust the declared type and never guess.
- No downside — on a correctly configured site nothing changes for visitors, so there is no reason to leave it off.
It is a one-line header with no trade-off — the cleanest win on this list.