headerforge

By header

X-Content-Type-Options: nosniff (Copy-Paste)

2 min read

X-Content-Type-Options: nosniff stops browsers from second-guessing your Content-Type and “sniffing” a response into something executable — a classic way a user-uploaded file becomes a script. It has one value and no downside; set it everywhere.

The value

X-Content-Type-Options: nosniff

Nginx

add_header X-Content-Type-Options "nosniff" always;

Apache

Header always set X-Content-Type-Options "nosniff"

Caddy

header X-Content-Type-Options "nosniff"

_headers

/*
  X-Content-Type-Options: nosniff

Verify

curl -sI https://yourdomain.com | grep -i x-content-type-options

Side effect to know: with nosniff, browsers enforce that scripts and stylesheets are served with the correct MIME type (text/javascript, text/css). If a script 404s to an HTML error page or your server mislabels .js/.css, it will now be rejected — fix the Content-Type, don’t drop nosniff.

Open the full version (with copy buttons) ↗

← All recipes