Overview
The X-Content-Type-Options HTTP response header instructs browsers not to perform MIME type sniffing — the practice of inspecting response content to infer its type rather than trusting the declared Content-Type header. When this header is absent or not set to nosniff, certain browsers may override the server-declared content type and interpret the response as a different, potentially executable type. This header is defined as part of the WHATWG Fetch Living Standard and is supported by all major modern browsers.
Sensagraph automatically detects the absence of this header across all scanned HTTP responses.
How it works
MIME sniffing is a browser heuristic introduced to handle misconfigured servers that serve content with incorrect or missing Content-Type headers. Instead of strictly trusting the declared type, the browser reads the first bytes of the response body (the "magic bytes") and attempts to determine the true content type. While this improves compatibility, it creates a security risk:
- Script execution from non-script resources: If an attacker can upload a file containing JavaScript (e.g., an image or CSV) and the server serves it with a non-script MIME type, some browsers may still execute it as a script if referenced in a
<script>tag withoutnosniffprotection. - Cross-site scripting (XSS) facilitation: In older browser versions without
nosniff, a JSON or text resource containing HTML/JS could be rendered as HTML, enabling XSS attacks. - Stylesheet injection: Similarly, resources served as plain text could be interpreted as CSS, enabling CSS-based data exfiltration or UI redressing.
- Attack preconditions: Exploitation typically requires user-controlled content (file upload, injection point) to reach a page that includes the content in an exploitable context, or a CORS misconfiguration that permits cross-origin reads.
When the X-Content-Type-Options: nosniff header is present, browsers that support it (Chrome, Firefox, Edge, Safari 16+) will block requests where the MIME type does not match the expected type for the resource context (e.g., blocking a response with text/plain from being loaded as a script).
Business impact
In isolation, the missing header represents a low-severity finding. However, it can contribute to higher-severity attack chains in the following ways:
- Cross-site scripting (XSS): Content sniffing can be chained with user-controlled uploads or injection points to execute arbitrary JavaScript in a victim's browser, leading to session hijacking, credential theft, or unauthorized actions.
- Data exfiltration: CSS injection via sniffed stylesheets can be used to exfiltrate sensitive page content character by character.
- Compliance risk: PCI DSS, HIPAA, and ISO 27001 security reviews commonly flag missing security headers. Absence of
nosniffmay be cited in audit findings. - Reputation and trust: Security scanners and browser developer tools visibly flag this deficiency, which can erode confidence among security-conscious users and partners.
How to fix it
- Add the header globally: Configure your web server, CDN, or application framework to include
X-Content-Type-Options: nosniffin all HTTP responses. This is the only valid value defined by the specification. - Apache: Add
Header always set X-Content-Type-Options "nosniff"to yourhttpd.confor.htaccessfile (requiresmod_headers). - Nginx: Add
add_header X-Content-Type-Options "nosniff" always;to yourserverorlocationblock. - IIS: Add a custom HTTP response header named
X-Content-Type-Optionswith valuenosniffvia IIS Manager orweb.config. - Application frameworks: In Express.js, use the
helmetmiddleware (helmet.noSniff()). In Django, setSECURE_CONTENT_TYPE_NOSNIFF = True. In ASP.NET Core, useapp.UseXContentTypeOptions()from theNWebSecpackage or configure it in the response pipeline. - Serve correct MIME types: Independently of the header, ensure all resources are served with accurate
Content-Typevalues. This reduces the browser's motivation to sniff and improves general correctness. - Verify deployment: After applying the fix, inspect HTTP response headers using browser developer tools or a tool like
curl -I https://yourdomain.comand confirm the header is present on all relevant responses, including error pages and API endpoints.
References
- MDN Web Docs – X-Content-Type-Options
- WHATWG Fetch Living Standard – X-Content-Type-Options
- OWASP Secure Headers Project – X-Content-Type-Options
- MITRE CWE-693: Protection Mechanism Failure
- OWASP Top 10 2021 – A05: Security Misconfiguration
- RFC 9110 – HTTP Semantics (IETF)
- Helmet.js – HTTP security headers middleware for Node.js