Content sniffing - Web Security Best Practices

Turn off browser content sniffing to protect against content sniffing exploits. When processing a response, browsers sometimes ignore the MIME type in the Content-Type header and guess the type based on the contents of the response. This is called content sniffing and is done to improve the user experience when Content-Type headers are inaccurate or missing. However, this behaviour can be exploited. For example, if your site allows users to share images, an attacker might be able to upload a specially crafted image file that contains JavaScript code. A browser performing content sniffing might then be tricked into executing the malicious file. To reduce content sniffing attacks, set the X-Content-Type-Options response header to nosniff. This tells browsers to avoid guessing response types and to rely only on the Content-Type header.

All responses should accurately specify their MIME type so that browsers don’t have to rely on content sniffing. When the X-Content-Type-Options: nosniff response header is used to disable content sniffing, browsers rely on the Content-Type header to determine the type of each response. To avoid issues, set the Content-Type header of all responses to an accurate MIME type.