LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

What does X-Content-Type-Options: nosniff do?

Tells the browser to trust the server's Content-Type header and not "sniff" the actual file contents to guess a different type.

Without it, browsers historically tried to be helpful: if a server said Content-Type: text/plain but the file started with <html>, the browser might render it as HTML anyway. That helpfulness was an attack vector:

  • An app accepts user uploads and serves them with Content-Type: text/plain.
  • The attacker uploads a file that looks like text but contains <script> tags.
  • A sniffing browser renders it as HTML → stored XSS on your own domain.

nosniff makes the browser obey the declared type literally — no rendering scripts from a text/plain resource.

Tip: Pair it with a correct Content-Type for every response (don't rely on the browser to guess). Also: serve user uploads from a separate origin (uploads.example.com) so even an XSS there can't touch the main app's cookies.

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026