X-Content-Type-Options

The X-Content-Type-Options HTTP Response header tells the web browser that the Content-Type headers are deliberately set and should be followed. Without this, browsers may use MIME type sniffing to guess at the Content-Type. They may do this when the Content-Type header is missing or when it is thought to be incorrect. Since some types of content are executable, this can have some security consequences. For example, a user may upload a plain-text document but trick the browser into executing it as Javascript. This is an especially important header for websites that host user-generated content.

This test looks for the presence of this header with a value of nosniff. If the header is missing or if it contains any other value a warning will be displayed.

To learn more about this header and other security headers, please read our in-depth article on HTTP Headers That Protect Your Users.