HTTP security headers

X-Content-Type-Options (nosniff)

What X-Content-Type-Options: nosniff prevents, and how WebGuard flags a missing or invalid value.

Last updated June 9, 2026

What it is

X-Content-Type-Options is a response header that tells the browser not to guess (sniff) a response's content type and to trust the declared Content-Type instead. Its only valid value is `nosniff`.

Why it matters

Without `nosniff`, a browser may interpret a file as a different type than you intended (for example treating an uploaded document as executable script), which opens the door to content-type confusion attacks. The single value removes that ambiguity, so a missing or mistyped header is an easy, worthwhile fix.

How WebGuard checks it

WebGuard reads your response headers and reports whether X-Content-Type-Options is present and whether its value is the only valid one, `nosniff`. It inspects headers your public site already returns, and nothing more.

A sensible starting configuration:

X-Content-Type-Options: nosniff

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.