X-Content-Type-Options is an HTTP response header with only one valid value: nosniff. It tells the browser to strictly follow the MIME type declared in the Content-Type header and not try to guess ("sniff") the content type on its own.
Why MIME-Type Sniffing is Dangerous
Without this header, browsers may try to detect the content type by inspecting the file content. This can be exploited:
- An attacker uploads a file disguised as an image but containing JavaScript
- The browser sniffs the content, detects it's actually JavaScript, and executes it
- This leads to XSS (Cross-Site Scripting) attacks
The Fix
X-Content-Type-Options: nosniffWith this header set, the browser will only process files according to their declared MIME type. A file served as image/png will only be treated as an image — never as a script.
What InspectWP Checks
InspectWP checks whether your WordPress site sends the X-Content-Type-Options: nosniff header. This is a simple but important security header that should be present on every website.