Free Tool

Free X-Content-Type-Options (nosniff) Checker

Check whether a website sends X-Content-Type-Options: nosniff to stop browsers from MIME sniffing responses.

Free and instant. No account or signup needed.

What MIME sniffing is and why nosniff matters

Every response a server sends carries a Content-Type header that names the kind of data inside, such as text/html or image/png. Browsers do not always trust that label. When the type looks wrong or missing they fall back to MIME sniffing, which means they inspect the bytes and guess the type for themselves. That guess is convenient for old or misconfigured sites, but it is also a security hole. If an attacker can get content they control onto your origin, a browser that sniffs might decide a plain file is really a script and run it, which opens the door to cross site scripting and drive by attacks.

The X-Content-Type-Options header shuts that behavior down. It accepts one value, nosniff, and that value tells the browser to honor the declared Content-Type and never second guess it. With nosniff in place a response labeled as text stays text and a response labeled as an image stays an image, so attacker supplied content cannot be reinterpreted as executable code.

How to add the header

Sending the header is a one line change on most stacks. On Apache add Header set X-Content-Type-Options "nosniff" to your config or .htaccess. On Nginx add add_header X-Content-Type-Options "nosniff" always; inside the server or location block. In a Node and Express app you can write res.setHeader("X-Content-Type-Options", "nosniff"), or let Helmet set it for you with its default configuration. After you deploy the change, rerun this checker to confirm the live response now returns nosniff. To see this header alongside the rest of your defenses, read the X-Content-Type-Options guide.

Frequently asked questions

What is an X-Content-Type-Options checker?

It is a tool that fetches a website and reports whether the response carries the X-Content-Type-Options: nosniff header. SiteSecurityScore reads this live from the URL you enter and tells you in seconds whether MIME sniffing is turned off.

What does nosniff actually do?

The nosniff value tells the browser to honor the Content-Type the server declared and never try to guess a different type. That stops a browser from treating, say, an uploaded text file or image as JavaScript and running it.

Why is MIME sniffing a security risk?

When a browser guesses the type of a response it can misread attacker controlled content as an executable script or stylesheet. That guessing has been used to smuggle scripts through endpoints that were only meant to serve data, which can turn into cross site scripting.

Is nosniff the only valid value?

Yes. The header recognizes a single directive, nosniff, and any other value is ignored by browsers. If the header is present but set to something else you get no protection, so always send exactly X-Content-Type-Options: nosniff.

Does this checker scan a live site?

It does. Enter a URL and SiteSecurityScore fetches the real response, reads the X-Content-Type-Options header, and reports what it found. No account or signup is required.

Related tools

Security Headers CheckerX-Content-Type-Options guideAll comparisons

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan