Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Revision 1106323 of X-Content-Type-Options

  • Revision slug: Web/HTTP/Headers/X-Content-Type-Options
  • Revision title: X-Content-Type-Options
  • Revision id: 1106323
  • Created:
  • Creator: teoli
  • Is current revision? No
  • Comment
Tags: 

Revision Content
{{HTTPSidebar}}

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertized in the {{HTTPHeader("Content-Type")}} headers should not be changed and be followed. This allows to opt out of MIME sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

This is header that was introduced by Microsoft in IE 8 as a way for the webmasters to block content sniffing that was happening and could transform non-executable MIME types into executable MIME types. Since then, other browsers have introduced it, even if their MIME sniffing algorithms were less aggressive.

Site security testers usually expect this header to be set.

Header type {{Glossary("Response header")}}
{{Glossary("Forbidden header name")}} no

Syntax

X-Content-Type-Options: nosniff

Directives

nosniff
Do not perform any MIME sniffing. Apply the MIME type given with {{HTTPHeader("Content-Type")}}.

Specifications

Specification Status Comment
{{SpecName("Fetch", "X-Content-Type-Options definition", "x-content-type-options-header")}} {{Spec2("Fetch")}} Initial definition

Browser compatibility

{{Compat}}

See also

  • {{HTTPHeader("Content-Type")}}

Revision Source

 
<div>{{HTTPSidebar}}</div>

<p>The <code><strong>X-Content-Type-Options</strong></code> response HTTP header is a marker used by the server to indicate that the <a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types">MIME types</a> advertized in the {{HTTPHeader("Content-Type")}} headers should not be changed and be followed. This allows to opt out of MIME sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.</p>

<p>This is header that was introduced by Microsoft in IE 8 as a way for the webmasters to block content sniffing that was happening and could transform non-executable MIME types into executable MIME types. Since then, other browsers have introduced it, even if their MIME sniffing algorithms were less aggressive.</p>

<p>Site security testers usually expect this header to be set.</p>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">Header type</th>
   <td>{{Glossary("Response header")}}</td>
  </tr>
  <tr>
   <th scope="row">{{Glossary("Forbidden header name")}}</th>
   <td>no</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<pre class="syntaxbox">
X-Content-Type-Options: nosniff
</pre>

<h2 id="Directives">Directives</h2>

<dl>
 <dt><code>nosniff</code></dt>
 <dd>Do not perform any MIME sniffing. Apply the MIME type given with {{HTTPHeader("Content-Type")}}.</dd>
</dl>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{SpecName("Fetch", "X-Content-Type-Options definition", "x-content-type-options-header")}}</td>
   <td>{{Spec2("Fetch")}}</td>
   <td>Initial definition</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you’d like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data/README.md">https://github.com/mdn/browser-compat-data/README.md</a> and send us a pull request.</p>

<p>{{Compat}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPHeader("Content-Type")}}</li>
</ul>
Revert to this revision