MIME Type Security: Sniffing Attacks

How MIME type confusion leads to content sniffing attacks — and how X-Content-Type-Options prevents them.

Published: 2026-02-06

Tags: MIME type security, content sniffing attack, X-Content-Type-Options

MIME Type Security: Sniffing Attacks MIME type confusion is a class of vulnerability that's been exploited since the early days of the web. A browser that guesses a file's type based on content rather than the server's declared type can execute malicious scripts disguised as images or plain text. One HTTP header — — prevents this attack entirely. --- All the tools discussed here are available for free at theproductguy.in — client-side, no sign-up required. Part of the HTTP Debugging Tools Guide — a complete toolkit for diagnosing web requests. --- How MIME Sniffing Works? Early versions of Internet Explorer introduced "MIME sniffing" to work around misconfigured servers: if the Content-Type was wrong or ambiguous, the browser would look at the first few bytes of the response and guess the…

Frequently Asked Questions

What is MIME type sniffing?

MIME type sniffing (content sniffing) is when a browser ignores the server's declared Content-Type and examines the actual bytes of the response to guess the format. This behavior was introduced in early Internet Explorer to handle misconfigured servers, but it creates a security vulnerability: an attacker can craft a file that looks like an image but contains executable JavaScript.

How does content sniffing lead to security vulnerabilities?

If a website hosts user-uploaded content and serves it with an incorrect or permissive Content-Type (like text/plain), a browser that sniffs may detect embedded JavaScript or HTML and execute it. An attacker uploads a file containing a script tag, the server serves it as text/plain, the browser sniffs it as HTML, and executes the script in the context of the upload domain — an XSS attack.

What is X-Content-Type-Options?

X-Content-Type-Options: nosniff is an HTTP response header that instructs browsers to strictly follow the declared Content-Type and never sniff the content. With nosniff set, a browser will not execute a script served as text/plain, will not render CSS served as text/javascript, and will not treat an ambiguous response as HTML. It's a simple, high-value security header.

How do I set nosniff in my server?

Add X-Content-Type-Options: nosniff to every HTTP response. In Nginx: add_header X-Content-Type-Options nosniff always; In Express.js with Helmet: app.use(helmet()); which sets it automatically. In Apache: Header always set X-Content-Type-Options nosniff. In AWS Amplify customHttp.yml, add it under customHeaders.

What is a PolyGlot file attack?

A polyglot file is a single file that is simultaneously valid in two different formats — for example, a JPEG that is also valid JavaScript, or a GIF that contains a valid HTML document with a script tag. Polyglot attacks exploit MIME type confusion: an application accepts the file as a harmless image but the browser executes it as a script, enabling XSS even on sites that validate file types.

All articles · theproductguy.in