The X-Content-Type-Options header is commonly used to help protect against attacks that rely on MIME-type sniffing.
Browsers will sometimes attempt to guess the type of a file, even if the server has already declared it based on its contents. This can lead to security issues when user-supplied files are served, especially on forums or similar platforms which contain user-generated content.
For example: an attacker uploads a file that looks like an image, but it actually contains some malicious JavaScript. If the browser “sniffs” the file and interprets it as something other than the declared type, it may execute code that should never have run.
The header is used to indicate that the MIME types advertised in the Content-Type headers should not be changed. If the type doesn’t match, the browser refuses to render it. This reduces the risk of content being misinterpreted and used for cross-site scripting attacks.
Options
The only defined value is ‘nosniff‘, which prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared Content-Type.