Loading…
Loading…
Paste any URL you're authorized to test. Scorifya fetches the response and shows whether X-Content-Type-Options: nosniff is set, alongside the rest of your security headers.
Free tool
The X-Content-Type-Options header has one job: when set to nosniff, it stops browsers from second-guessing the Content-Type you sent and trying to MIME-sniff a response into something executable. Without it, a file you serve as plain text or an image can sometimes be interpreted as a script, which opens content-confusion and cross-site-scripting paths. It is the cheapest header to ship, and a checker confirms it is actually there.
Paste any URL you're allowed to test. Scorifya fetches the response and reports whether X-Content-Type-Options: nosniff is present. It sits inside the broader 0 to 100 hardening score, so you see the other headers around it too.
This page is written for people searching for X-Content-Type-Options checker—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A: nosniff not set
TLS and most headers are fine, but X-Content-Type-Options is missing, so browsers may MIME-sniff responses instead of trusting the declared type.
X-Content-Type-Options not set
Add X-Content-Type-Options: nosniff so browsers respect the Content-Type you send. It is a single line and has no downside on a correctly typed site.
Example B: nosniff in place
X-Content-Type-Options: nosniff is set, so browsers will not MIME-sniff your responses. The remaining points are elsewhere in the header set.
nosniff set correctly
Make sure every response carries it, including static assets and API routes, not just the homepage.
Add X-Content-Type-Options: nosniff everywhere
This is a one-line, no-downside header for any correctly typed site. Set it at your web server, reverse proxy, or framework so every response, including static files and API routes, carries it.
Send correct Content-Type headers
nosniff only helps if your responses declare the right type. Make sure scripts are served as application/javascript, JSON as application/json, and so on, so the browser has an accurate type to trust.
Cover downloads and user-uploaded files
Files users upload or download are where sniffing bites hardest. Serve them with an accurate Content-Type and nosniff, and consider Content-Disposition: attachment for anything that should never render inline.
Re-scan after the header change
Headers update on the very next response after a deploy. Re-scan immediately to confirm nosniff is present across your responses.
For weights and penalties behind each category, see How Scorifya works.
X-Content-Type-Options is a response header. Set to nosniff, it tells the browser not to MIME-sniff, that is, not to guess a response's type by looking at its content, and to trust the Content-Type you declared instead. This prevents a file served as one type from being interpreted as another, such as a text or image response being run as a script.
If a browser sniffs a response into an executable type, an attacker who can get content onto your origin (an uploaded file, a user-controlled response) may be able to have it run as a script. nosniff removes that ambiguity, which closes a class of content-confusion and cross-site-scripting issues, especially around uploads and downloads.
On a correctly configured site, no. The only time nosniff causes trouble is when responses are served with the wrong Content-Type, in which case the fix is to correct the type rather than to drop the header. Setting nosniff is one of the safest hardening steps you can ship.
Yes. Checking the header (and running the full Scorifya scan) is free for any URL you're authorized to test. Pro adds higher rate limits, scheduled re-scans, watch lists with alerts, and exports.
No. Scorifya only fetches public, unauthenticated URLs. Header values can differ on authenticated routes, so test those during your own staging passes.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.