The X-Content Type Options header is usually used to help protect against certain types of attacks, such as drive-by downloads and cross-site scripting (XSS). Drive-by download attacks are especially executed on public forums or other sites with user-generated content. Malicious executable code is uploaded to the forums, disguised as regular images, PDFs, etc. By preventing MIME type sniffing, you can help to ensure that your website content is served with the correct MIME type, which can help to prevent these types of attacks. The header is used to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.
Options
The only defined value, ‘nosniff’, prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.
