securityheaders.fyi
MIME sniffing

X-Content-Type-Options

Build a config with this header →

Set to nosniff, this stops browsers from second-guessing the declared Content-Type and "sniffing" a response into something executable — e.g. treating an uploaded text file as JavaScript. It also enforces that scripts and stylesheets are served with the right type. There's exactly one valid value: nosniff. MDN

Example

X-Content-Type-Options: nosniff

Scoring

Contributes up to 10 points to your grade .

Full specification on MDN ↗