What is “X-Content-Type-Options=nosniff”?

I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message:

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to
‘nosniff’

This check is specific to Internet Explorer 8 and Google Chrome.
Ensure each page sets a Content-Type header and the
X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

I have no idea what this means, and I couldn’t find anything online. I have tried adding:

<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />

but the I still get the alert.

What is the correct way of setting the parameter?

8 Answers
8

Leave a Comment