X-Content-Type-Options: nosniff

What it is

A response header with a single value, 'nosniff'. Disables the browser's MIME-sniffing fallback so it executes scripts and styles only when the Content-Type genuinely says so.

Why it matters

User-uploaded content (images, attachments) can be crafted to look like an HTML or JS file to a browser sniffing the bytes. nosniff closes that hole. Should be set on every response, period.

Who it applies to

Every HTTP response.

How WQI scores it

Web Quality Index considers this standard satisfied when the supporting factor passes.

Related standards

See also

Security headers

Standards that share factors with this one

Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.

• Content Security Policy Level 3 1 shared factor Security The deployable CSP today. script-src, object-src, and base-uri are the three controls that actually stop XSS — the rest is optional.
• Cross-Origin isolation (COOP / COEP / CORP) 1 shared factor Security Three response headers that together unlock SharedArrayBuffer and high-resolution timers — and incidentally close a class of cross-origin side-channel leaks.
• HTTP Strict Transport Security 1 shared factor Security One header tells every future visitor 'always HTTPS, never HTTP, no exceptions'. Should ship everywhere; preload only after you're sure.
• ISO/IEC 27001:2022 1 shared factor Security International gold standard for an Information Security Management System. The 2022 revision restructures the Annex A controls to align with ISO 27002:2022.
• NIST Cybersecurity Framework 2.0 1 shared factor Security Voluntary, US-government-blessed taxonomy for cybersecurity programs. The 2.0 revision (Feb 2024) added a 'Govern' function alongside the original Identify / Protect / Detect / Respond / Recover.

Other references

• guidance MDN — X-Content-Type-Options