Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Revision 1111831 of X-Content-Type-Options

  • Revision slug: Web/HTTP/Headers/X-Content-Type-Options
  • Revision title: X-Content-Type-Options
  • Revision id: 1111831
  • Created:
  • Creator: fscholz
  • Is current revision? No
  • Comment fix github url
Tags: 

Revision Content
{{HTTPSidebar}}

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the {{HTTPHeader("Content-Type")}} headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

This is header that was introduced by Microsoft in IE 8 as a way for the webmasters to block content sniffing that was happening and could transform non-executable MIME types into executable MIME types. Since then, other browsers have introduced it, even if their MIME sniffing algorithms were less aggressive.

Site security testers usually expect this header to be set.

Header type {{Glossary("Response header")}}
{{Glossary("Forbidden header name")}} no

Syntax

X-Content-Type-Options: nosniff

Directives

nosniff
Do not perform any MIME sniffing. Apply the MIME type given with {{HTTPHeader("Content-Type")}}.

Specifications

Specification Status Comment
{{SpecName("Fetch", "#x-content-type-options-header", "X-Content-Type-Options definition")}} {{Spec2("Fetch")}} Initial definition

Browser compatibility

{{Compat}}

See also

Revision Source

 
<div>{{HTTPSidebar}}</div>

<p>The <code><strong>X-Content-Type-Options</strong></code> response HTTP header is a marker used by the server to indicate that the <a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types">MIME types</a> advertised in the {{HTTPHeader("Content-Type")}} headers should not be changed and be followed. This allows to opt-out of <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#MIME_sniffing">MIME type sniffing</a>, or, in other words, it is a way to say that the webmasters knew what they were doing.</p>

<p>This is header that was introduced by Microsoft in IE 8 as a way for the webmasters to block content sniffing that was happening and could transform non-executable MIME types into executable MIME types. Since then, other browsers have introduced it, even if their MIME sniffing algorithms were less aggressive.</p>

<p>Site security testers usually expect this header to be set.</p>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">Header type</th>
   <td>{{Glossary("Response header")}}</td>
  </tr>
  <tr>
   <th scope="row">{{Glossary("Forbidden header name")}}</th>
   <td>no</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<pre class="syntaxbox">
X-Content-Type-Options: nosniff
</pre>

<h2 id="Directives">Directives</h2>

<dl>
 <dt><code>nosniff</code></dt>
 <dd>Do not perform any MIME sniffing. Apply the MIME type given with {{HTTPHeader("Content-Type")}}.</dd>
</dl>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{SpecName("Fetch", "#x-content-type-options-header", "X-Content-Type-Options definition")}}</td>
   <td>{{Spec2("Fetch")}}</td>
   <td>Initial definition</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPHeader("Content-Type")}}</li>
 <li>The <a href="https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/">original definition</a> of X-Content-Type-Options by Microsoft.</li>
 <li>The <a href="https://mozilla.github.io/http-observatory-website/">Mozilla Observatory</a> tool testing the configuration (including this header) of Web sites for safety and security</li>
 <li>
  <p><a href="https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/">Mitigating MIME Confusion Attacks in Firefox</a></p>
 </li>
</ul>
Revert to this revision