What is MIME sniffing?

Browsers sometimes guess the content type of a response based on the content instead of the declared Content-Type header. This can lead to text files being executed as JavaScript in some edge cases.

Does X-Content-Type-Options break anything?

No — it only prevents browser content type guessing. If your server sends correct Content-Type headers (which it should), nosniff has no visible effect on users.

Which browsers support X-Content-Type-Options?

All modern browsers — Chrome, Firefox, Safari, Edge. It has been supported for over a decade.

Headers

The Most Commonly Missing Security Header (1 Line to Fix)

Updated April 2026

 Reading this article? Verify your fix in real-time. Check which security headers you are missing → HeadersFixer

X-Content-Type-Options: nosniff is one of the most impactful security headers relative to implementation effort. One line. No configuration. No testing required. And it is missing from a large proportion of sites that do have HSTS and X-Frame-Options.

What it does

Without nosniff, browsers can guess (sniff) the content type of a response and execute it as a different type than declared. A text file that looks like JavaScript might be executed as JavaScript by a browser trying to be helpful.

With nosniff, the browser strictly respects the declared Content-Type header. A text/plain file is never executed as JavaScript, even if an attacker tricks a user into loading it.

The fix — one line per stack

Nginx

add_header X-Content-Type-Options "nosniff" always;

Apache

Header always set X-Content-Type-Options "nosniff"

Express

app.use(helmet());  # helmet adds nosniff automatically
# or manually:
app.use((req, res, next) => { res.setHeader("X-Content-Type-Options", "nosniff"); next();
});

Vercel (vercel.json)

{ "headers": [{ "source": "/(.*)", "headers": [ { "key": "X-Content-Type-Options", "value": "nosniff" }
]}]}

Netlify (_headers file)

/* X-Content-Type-Options: nosniff

Cloudflare (Transform Rules)

Workers → Transform Rules → Response Header Modification → Add header: X-Content-Type-Options = nosniff

Why it is safe to add with zero testing

Unlike HSTS (which can lock users out of your site if HTTPS breaks) or CSP (which can block legitimate resources), nosniff only restricts content type guessing. It has no effect on correctly configured sites. There is no downside to adding it immediately.

The other one-liners to add at the same time

# All safe to add immediately — no testing needed
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# These need more care:
# add_header Strict-Transport-Security "..." always;  # only after HTTPS works
# add_header Content-Security-Policy "..." always; # test first

Use HeadersFixer to scan your site and see which of these one-liners you are missing.

Check which security headers you are missing → HeadersFixer

Check if your domain is on the HSTS preload list → HSTS Preload Checker