X-Content-Type-Options

X-Content-Type-Options is an HTTP header with one valid value: nosniff. It prevents browsers from MIME-sniffing a response away from the declared Content-Type, which could allow an attacker to make browsers execute uploaded files as scripts. For example, without this header, an attacker might upload a file that is served as text/plain but the browser interprets it as JavaScript. This is a simple, one-line security improvement with no downside.

Why it matters for your website

• 1Simple HTTP header with immediate security improvement at no performance cost
• 2Checked by automated security scanners and compliance tools
• 3Missing headers are flagged as medium-to-high severity findings