developer.mozilla.org
Open in
urlscan Pro
2600:9000:225e:b600:2:eb5:8c00:93a1
Public Scan
URL:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Submission: On April 10 via api from US — Scanned from DE
Submission: On April 10 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
/en-US/search
<form action="/en-US/search" class="search-form search-widget" id="top-nav-search-form" role="search"><label id="top-nav-search-label" for="top-nav-search-input" class="visually-hidden">Search MDN</label><input aria-activedescendant=""
aria-autocomplete="list" aria-controls="top-nav-search-menu" aria-expanded="false" aria-labelledby="top-nav-search-label" autocomplete="off" id="top-nav-search-input" role="combobox" type="search" class="search-input-field" name="q"
placeholder=" " required="" value=""><button type="button" class="button action has-icon clear-search-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear search
input</span></span></button><button type="submit" class="button action has-icon search-button"><span class="button-wrap"><span class="icon icon-search "></span><span class="visually-hidden">Search</span></span></button>
<div id="top-nav-search-menu" role="listbox" aria-labelledby="top-nav-search-label"></div>
</form>Text Content
* Skip to main content
* Skip to search
* Skip to select language
MDN Web DocsOpen main menu
* ReferencesReferences
* Overview / Web Technology
Web technology reference for developers
* HTML
Structure of content on the web
* CSS
Code used to describe document style
* JavaScript
General-purpose scripting language
* HTTP
Protocol for transmitting web resources
* Web APIs
Interfaces for building web applications
* Web Extensions
Developing extensions for web browsers
* Web Technology
Web technology reference for developers
* GuidesGuides
* Overview / MDN Learning Area
Learn web development
* MDN Learning Area
Learn web development
* HTML
Learn to structure web content with HTML
* CSS
Learn to style content using CSS
* JavaScript
Learn to run scripts in the browser
* Accessibility
Learn to make the web accessible to all
* MDN PlusMDN Plus
* Overview
A customized MDN experience
* Updates
All browser compatibility updates at a glance
* Documentation
Learn how to use MDN Plus
* FAQ
Frequently asked questions about MDN Plus
Search MDNClear search inputSearch
Theme
* Log in
* Get MDN Plus
1. References
2. HTTP
3. HTTP headers
4. X-Content-Type-Options
Article Actions
* English (US)
IN THIS ARTICLE
* Syntax
* Directives
* Specifications
* Browser compatibility
* See also
1. HTTP
2. Guides
3. Resources and URIs
1. Identifying resources on the Web
2. Data URLs
3. Introduction to MIME types
4. Common MIME types
5. Choosing between www and non-www URLs
4. HTTP guide
1. Basics of HTTP
2. Overview of HTTP
3. Evolution of HTTP
4. HTTP Messages
5. A typical HTTP session
6. Connection management in HTTP/1.x
7. Protocol upgrade mechanism
5. HTTP security
1. Content Security Policy (CSP)
2. HTTP Strict Transport Security (HSTS)
3. Cookie security
4. X-Content-Type-Options
5. X-Frame-Options
6. X-XSS-Protection
7. Mozilla web security guidelines
8. Mozilla Observatory
6. HTTP access control (CORS)
7. HTTP authentication
8. HTTP caching
9. HTTP compression
10. HTTP conditional requests
11. HTTP content negotiation
12. HTTP cookies
13. HTTP range requests
14. HTTP redirects
15. HTTP specifications
16. Permissions Policy
17. References
18. HTTP headers
1. Accept
2. Accept-CH
3. Accept-CH-Lifetime Non-standard Deprecated
4. Accept-Charset
5. Accept-Encoding
6. Accept-Language
7. Accept-Patch
8. Accept-Post
9. Accept-Ranges
10. Access-Control-Allow-Credentials
11. Access-Control-Allow-Headers
12. Access-Control-Allow-Methods
13. Access-Control-Allow-Origin
14. Access-Control-Expose-Headers
15. Access-Control-Max-Age
16. Access-Control-Request-Headers
17. Access-Control-Request-Method
18. Age
19. Allow
20. Alt-Svc
21. Authorization
22. Cache-Control
23. Clear-Site-Data
24. Connection
25. Content-Disposition
26. Content-DPR Non-standard Deprecated
27. Content-Encoding
28. Content-Language
29. Content-Length
30. Content-Location
31. Content-Range
32. Content-Security-Policy
33. Content-Security-Policy-Report-Only
34. Content-Type
35. Cookie
36. Critical-CH Experimental
37. Cross-Origin-Embedder-Policy
38. Cross-Origin-Opener-Policy
39. Cross-Origin-Resource-Policy
40. Date
41. Device-Memory Experimental
42. Digest
43. DNT Deprecated
44. Downlink Experimental
45. DPR Non-standard Deprecated
46. Early-Data Experimental
47. ECT Experimental
48. ETag
49. Expect
50. Expect-CT
51. Expires
52. Forwarded
53. From
54. Host
55. If-Match
56. If-Modified-Since
57. If-None-Match
58. If-Range
59. If-Unmodified-Since
60. Keep-Alive
61. Large-Allocation Non-standard Deprecated
62. Last-Modified
63. Link
64. Location
65. Max-Forwards
66. NEL Experimental
67. Origin
68. Permissions-Policy
69. Pragma Deprecated
70. Proxy-Authenticate
71. Proxy-Authorization
72. Range
73. Referer
74. Referrer-Policy
75. Retry-After
76. RTT Experimental
77. Save-Data Experimental
78. Sec-CH-Prefers-Reduced-Motion Experimental
79. Sec-CH-UA Experimental
80. Sec-CH-UA-Arch Experimental
81. Sec-CH-UA-Bitness Experimental
82. Sec-CH-UA-Full-Version Deprecated
83. Sec-CH-UA-Full-Version-List Experimental
84. Sec-CH-UA-Mobile Experimental
85. Sec-CH-UA-Model Experimental
86. Sec-CH-UA-Platform Experimental
87. Sec-CH-UA-Platform-Version Experimental
88. Sec-Fetch-Dest
89. Sec-Fetch-Mode
90. Sec-Fetch-Site
91. Sec-Fetch-User
92. Sec-GPC Experimental
93. Sec-WebSocket-Accept
94. Server
95. Server-Timing
96. Service-Worker-Navigation-Preload
97. Set-Cookie
98. SourceMap
99. Strict-Transport-Security
100. TE
101. Timing-Allow-Origin
102. Tk Deprecated
103. Trailer
104. Transfer-Encoding
105. Upgrade
106. Upgrade-Insecure-Requests
107. User-Agent
108. Vary
109. Via
110. Viewport-Width Non-standard Deprecated
111. Want-Digest
112. Warning Deprecated
113. Width Non-standard Deprecated
114. WWW-Authenticate
115. X-Content-Type-Options
116. X-DNS-Prefetch-Control Non-standard
117. X-Forwarded-For Non-standard
118. X-Forwarded-Host Non-standard
119. X-Forwarded-Proto Non-standard
120. X-Frame-Options
121. X-XSS-Protection Non-standard
19. HTTP request methods
1. CONNECT
2. DELETE
3. GET
4. HEAD
5. OPTIONS
6. PATCH
7. POST
8. PUT
9. TRACE
20. HTTP response status codes
1. 100 Continue
2. 101 Switching Protocols
3. 102 Processing
4. 103 Early Hints Experimental
5. 200 OK
6. 201 Created
7. 202 Accepted
8. 203 Non-Authoritative Information
9. 204 No Content
10. 205 Reset Content
11. 206 Partial Content
12. 207 Multi-Status
13. 208 Already Reported
14. 226 IM Used
15. 300 Multiple Choices
16. 301 Moved Permanently
17. 302 Found
18. 303 See Other
19. 304 Not Modified
20. 307 Temporary Redirect
21. 308 Permanent Redirect
22. 400 Bad Request
23. 401 Unauthorized
24. 402 Payment Required
25. 403 Forbidden
26. 404 Not Found
27. 405 Method Not Allowed
28. 406 Not Acceptable
29. 407 Proxy Authentication Required
30. 408 Request Timeout
31. 409 Conflict
32. 410 Gone
33. 411 Length Required
34. 412 Precondition Failed
35. 413 Content Too Large
36. 414 URI Too Long
37. 415 Unsupported Media Type
38. 416 Range Not Satisfiable
39. 417 Expectation Failed
40. 418 I'm a teapot
41. 421 Misdirected Request
42. 422 Unprocessable Content
43. 423 Locked
44. 424 Failed Dependency
45. 425 Too Early
46. 426 Upgrade Required
47. 428 Precondition Required
48. 429 Too Many Requests
49. 431 Request Header Fields Too Large
50. 451 Unavailable For Legal Reasons
51. 500 Internal Server Error
52. 501 Not Implemented
53. 502 Bad Gateway
54. 503 Service Unavailable
55. 504 Gateway Timeout
56. 505 HTTP Version Not Supported
57. 506 Variant Also Negotiates
58. 507 Insufficient Storage
59. 508 Loop Detected
60. 510 Not Extended
61. 511 Network Authentication Required
21. CSP directives
1. CSP source values
2. CSP: base-uri
3. CSP: block-all-mixed-content Deprecated
4. CSP: child-src
5. CSP: connect-src
6. CSP: default-src
7. CSP: font-src
8. CSP: form-action
9. CSP: frame-ancestors
10. CSP: frame-src
11. CSP: img-src
12. CSP: manifest-src
13. CSP: media-src
14. CSP: object-src
15. CSP: plugin-types Non-standard Deprecated
16. CSP: prefetch-src Experimental
17. CSP: referrer Non-standard Deprecated
18. CSP: report-to
19. CSP: report-uri Deprecated
20. CSP: require-trusted-types-for Experimental
21. CSP: sandbox
22. CSP: script-src
23. CSP: script-src-attr
24. CSP: script-src-elem
25. CSP: style-src
26. CSP: style-src-attr
27. CSP: style-src-elem
28. CSP: trusted-types Experimental
29. CSP: upgrade-insecure-requests
30. CSP: worker-src
22. CORS errors
1. Reason: CORS disabled
2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
3. Reason: CORS header 'Access-Control-Allow-Origin' missing
4. Reason: CORS header 'Origin' cannot be added
5. Reason: CORS preflight channel did not succeed
6. Reason: CORS request did not succeed
7. Reason: CORS request external redirect not allowed
8. Reason: CORS request not HTTP
9. Reason: Credential is not supported if the CORS header
'Access-Control-Allow-Origin' is '*'
10. Reason: Did not find method in CORS header
'Access-Control-Allow-Methods'
11. Reason: expected 'true' in CORS header
'Access-Control-Allow-Credentials'
12. Reason: invalid token 'xyz' in CORS header
'Access-Control-Allow-Headers'
13. Reason: invalid token 'xyz' in CORS header
'Access-Control-Allow-Methods'
14. Reason: missing token 'xyz' in CORS header
'Access-Control-Allow-Headers' from CORS preflight channel
15. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed
23. Permissions-Policy directives
1. Permissions-Policy: accelerometer Experimental
2. Permissions-Policy: ambient-light-sensor Experimental
3. Permissions-Policy: autoplay Experimental
4. Permissions-Policy: battery Experimental
5. Permissions-Policy: camera
6. Permissions-Policy: display-capture
7. Permissions-Policy: document-domain Experimental
8. Permissions-Policy: encrypted-media Experimental
9. Permissions-Policy: execution-while-not-rendered Experimental
10. Permissions-Policy: execution-while-out-of-viewport Experimental
11. Permissions-Policy: fullscreen
12. Permissions-Policy: gamepad Experimental
13. Permissions-Policy: geolocation
14. Permissions-Policy: gyroscope Experimental
15. Permissions-Policy: hid Experimental
16. Permissions-Policy: identity-credentials-get Experimental
17. Permissions-Policy: idle-detection Experimental
18. Permissions-Policy: local-fonts Experimental
19. Permissions-Policy: magnetometer Experimental
20. Permissions-Policy: microphone
21. Permissions-Policy: midi Experimental
22. Permissions-Policy: payment Experimental
23. Permissions-Policy: picture-in-picture Experimental
24. Permissions-Policy: publickey-credentials-get Experimental
25. Permissions-Policy: screen-wake-lock Experimental
26. Permissions-Policy: serial Experimental
27. Permissions-Policy: speaker-selection Experimental
28. Permissions-Policy: usb Experimental
29. Permissions-Policy: web-share
30. Permissions-Policy: xr-spatial-tracking Experimental
Simplify software development with the One DevOps Platform. Start your free 30
day trial today!Mozilla ads
Don't want to see ads?
IN THIS ARTICLE
* Syntax
* Directives
* Specifications
* Browser compatibility
* See also
Simplify software development with the One DevOps Platform. Start your free 30
day trial today!Mozilla ads
Don't want to see ads?
X-CONTENT-TYPE-OPTIONS
The X-Content-Type-Options response HTTP header is a marker used by the server
to indicate that the MIME types advertised in the Content-Type headers should be
followed and not be changed. The header allows you to avoid MIME type sniffing
by saying that the MIME types are deliberately configured.
This header was introduced by Microsoft in IE 8 as a way for webmasters to block
content sniffing that was happening and could transform non-executable MIME
types into executable MIME types. Since then, other browsers have introduced it,
even if their MIME sniffing algorithms were less aggressive.
Starting with Firefox 72, top-level documents also avoid MIME sniffing (if
Content-type is provided). This can cause HTML web pages to be downloaded
instead of being rendered when they are served with a MIME type other than
text/html. Make sure to set both headers correctly.
Site security testers usually expect this header to be set.
Note: X-Content-Type-Options only apply request-blocking due to nosniff for
request destinations of "script" and "style". However, it also enables
Cross-Origin Read Blocking (CORB) protection for HTML, TXT, JSON and XML files
(excluding SVG image/svg+xml).
Header type Response header Forbidden header name no
SYNTAX
X-Content-Type-Options: nosniff
Copy to Clipboard
DIRECTIVES
nosniff
Blocks a request if the request destination is of type style and the MIME type
is not text/css, or of type script and the MIME type is not a JavaScript MIME
type.
SPECIFICATIONS
SpecificationFetch Standard
# x-content-type-options-header
BROWSER COMPATIBILITY
Report problems with this compatibility data on GitHub
desktopmobile
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
X-Content-Type-Options
Full support
Chrome64
more
Toggle history
Full support
Edge12
Toggle history
Full support
Firefox50
Toggle history
Full support
OperaYes
Toggle history
Full support
Safari11
Toggle history
Full support
Chrome Android64
more
Toggle history
Full support
Firefox for Android50
Toggle history
Full support
Opera AndroidYes
Toggle history
Full support
Safari on iOS11
Toggle history
Full support
Samsung Internet9.0
more
Toggle history
Full support
WebView Android64
more
Toggle history
LEGEND
Tip: you can click/tap on a cell for more information.
Full supportFull support
Partial supportPartial support
Has more compatibility info.
The compatibility table on this page is generated from structured data. If you'd
like to contribute to the data, please check out
https://github.com/mdn/browser-compat-data and send us a pull request.
BROWSER SPECIFIC NOTES
* Firefox 72 enables X-Content-Type-Options: nosniff for top-level documents
SEE ALSO
* Content-Type
* The original definition of X-Content-Type-Options by Microsoft.
* The Mozilla Observatory tool testing the configuration (including this
header) of Web sites for safety and security
* Mitigating MIME Confusion Attacks in Firefox
* Cross-Origin Read Blocking (CORB)
* Google Docs CORB explainer
FOUND A CONTENT PROBLEM WITH THIS PAGE?
* Edit the page on GitHub.
* Report the content issue.
* View the source on GitHub.
Want to get more involved? Learn how to contribute.
This page was last modified on Mar 3, 2023 by MDN contributors.
MDN logo
Your blueprint for a better internet.
* MDN on Twitter
* MDN on GitHub
MDN
* About
* Hacks Blog
* Careers
* Advertise with us
SUPPORT
* Product help
* Report an issue
OUR COMMUNITIES
* MDN Community
* MDN Forum
* MDN Chat
DEVELOPERS
* Web Technologies
* Learn Web Development
* MDN Plus
Mozilla logo
* Website Privacy Notice
* Cookies
* Legal
* Community Participation Guidelines
Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation.
Portions of this content are ©1998–2023 by individual mozilla.org contributors.
Content available under a Creative Commons license.