What is X-Content-Type-Options (nosniff)?

X-Content-Type-Options is a security header with one job: when set to nosniff, it stops the browser from second-guessing the type of a file and running it as something it is not. Roughly 63% of Australian small business websites send no nosniff header at all*:

  • The risk it removes — browsers sometimes try to guess whether a file is an image, a stylesheet or a script; an attacker can abuse that guess to make an uploaded file run as code.
  • nosniff — the only value it takes; it tells the browser to trust the declared type and never guess.
  • No downside — on a correctly configured site nothing changes for visitors, so there is no reason to leave it off.

It is a one-line header with no trade-off — the cleanest win on this list.