X-Content Type Options is a security HTTP header that prevents browsers from MIME-sniffing files, reducing risks of malicious content execution.
What Is X-Content-Type-Options?
X-Content-Type-Options is an HTTP response header that tells browsers to strictly follow the declared Content-Type for files instead of guessing the type. Without this protection, browsers may “sniff” a file’s MIME type and misinterpret its content—potentially executing harmful scripts or code.
Why X-Content-Type-Options Matters for Security & SEO:
- Prevents Code Injection – Stops browsers from interpreting dangerous scripts in unexpected file types.
- Protects User Data – Reduces the attack surface for content-based exploits.
- Supports Compliance – Aligns with OWASP security recommendations.
- Improves Trust – Keeps your site safer for visitors and search engines.
- Indirect SEO Benefit – Secure sites maintain better user engagement and avoid being flagged as unsafe in search results.
Common Implementation:
- The most common value is
nosniff, which tells browsers not to override the declared content type.
Apache Example:
apacheCopyEditHeader set X-Content-Type-Options "nosniff"
Nginx Example:
nginxCopyEditadd_header X-Content-Type-Options "nosniff";
Example in Practice:
A website serving PDF files uses X-Content-Type-Options: nosniff to ensure browsers don’t misinterpret them as HTML or script files.
