Home / Tools / Add X-Content-Type-Options header to stop MIME sniffing
Security Headers · Scan Check Guide

Add X-Content-Type-Options header to stop MIME sniffing

5 min Impact: high Effort: medium ✓ Scan-verified — no manual checkbox

X-Content-Type-Options stops browsers from trying to guess a file's type based on its content instead of trusting the Content-Type header your server sent — that guessing ('MIME sniffing') is how attackers get a browser to execute a file uploaded as an image as if it were a script.

MIME sniffing lets browsers guess file types and execute malicious files as scripts. This header disables that behaviour entirely.

How to fix it

  1. 1
    Add the header
    Set X-Content-Type-Options: nosniff in your server config or CDN — there is only one valid value, so there's no configuration decision to make.
  2. 2
    Apply it site-wide
    Unlike some headers, this one has no legitimate reason to be selectively disabled on any page — set it globally.

Common mistakes

How you'll know it's done

The response header X-Content-Type-Options: nosniff appears on every page.

Tools that help

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →