Quiz Entry - updated: 2026.06.26
What does X-Content-Type-Options: nosniff do?
Tells the browser to trust the server's Content-Type header and not "sniff" the actual file contents to guess a different type.
Without it, browsers historically tried to be helpful: if a server said Content-Type: text/plain but the file started with <html>, the browser might render it as HTML anyway. That helpfulness was an attack vector:
- An app accepts user uploads and serves them with
Content-Type: text/plain. - The attacker uploads a file that looks like text but contains
<script>tags. - A sniffing browser renders it as HTML → stored XSS on your own domain.
nosniff makes the browser obey the declared type literally — no rendering scripts from a text/plain resource.
Tip: Pair it with a correct Content-Type for every response (don't rely on the browser to guess). Also: serve user uploads from a separate origin (uploads.example.com) so even an XSS there can't touch the main app's cookies.