X-Content-Type-Options Header

Table of Content

  • Syntax
  • Directives
  • Examples
  • Browser Compatibility
  • How to modify X-Content-Type-Options header The X-Content-Type-Options header is a security feature that helps prevent attacks based on MIME-type confusion. It allows web servers to declare that web browsers (or other complying user agents) should not change the declared content-type. This can be helpful in preventing content sniffing attacks, where an attacker injects malicious content into a website, and the browser interprets this content differently than the server intended.


X-Content-Type-Options: nosniff


The only directive supported by X-Content-Type-Options is nosniff. It blocks a request if the request destination is of type "style" and the MIME type is not "text/css", or if the destination is of type "script" and the MIME type is not a JavaScript MIME type.


Here is an example of how to use the X-Content-Type-Options header in HTTP response:

HTTP/1.1 200 OK
Date: Tue, 15 May 2018 16:13:53 GMT
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8

Using this header, the above example instructs the browser not to sniff the content type and thereby helps in preventing security vulnerabilities.

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Supported
Safari Supported
Opera Supported
Edge Supported

How to modify X-Content-Type-Options header

ModHeader is a Google Chrome extension that adds, modifies, and removes HTTP request headers. You can use it to add the X-Content-Type-Options header to your requests as follows:

  1. First, add the ModHeader extension to your Chrome browser.
  2. Click on the ModHeader icon in the toolbar, which opens the extension.
  3. In the Request Headers section, click on the 'add' button.
  4. Enter 'X-Content-Type-Options' in the 'Name' field and 'nosniff' in the 'Value' field.
  5. Now, all your subsequent requests will contain this header until you remove it.

Being able to change request headers directly in your browser can be very helpful for testing how your server handles different scenarios.