X-Content-Type-Options HTTP header
What the X-Content-Type-Options nosniff header does, why MIME-type sniffing is a risk, and how to set it in Apache, PHP and on AWS CloudFront.
The X-Content-Type-Options header is the simplest of the HTTP security headers, with a single job and a single value. It stops browsers from trying to guess ("sniff") the type of a response and second-guessing the Content-Type you sent.
X-Content-Type-Options: nosniff
Without it, a browser that thinks it knows better may treat a file as a different type than you declared, interpreting something you served as plain text as HTML or JavaScript, for example. That MIME-type sniffing has been used to smuggle executable content past checks, so turning it off closes a small but real hole.
With nosniff set, the browser honours the declared Content-Type and refuses to load scripts or stylesheets whose type does not match what it expects. There is only the one value, and nothing to configure beyond sending it.
It costs nothing and has no real downside, so it belongs on every response, next to Content-Security-Policy and the rest of your web application security headers.
How to set X-Content-Type-Options in Apache
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
How to set X-Content-Type-Options in PHP
header('X-Content-Type-Options: nosniff');
Setting it on AWS CloudFront
On a static site there is no web server in the request path, so the header goes on your CloudFront distribution instead. The simplest modern way is a response headers policy, where you list your security headers once and CloudFront adds them to every response without any code, and AWS provides a managed security headers policy that already includes nosniff. For anything the policy cannot express, a CloudFront Function on the viewer response sets headers in a few lines of JavaScript, with Lambda@Edge kept back for the heavier logic a function cannot handle.