What is it and why should I care?
X-Content-Type-Options is an HTTP header that can help prevent browser content-type sniffing problems.
What should I do about it?
There are actually 2 things to do here.
Step 1. When serving resources, make sure you send the content-type header to appropriately match the type of the resource being served. For example, if you’re serving an HTML page, you should send the HTTP header:
Step 2. Add the X-Content-Type-Options header with a value of “nosniff” to inform the browser to trust what the site has sent is the appropriate content-type, and to not attempt “sniffing” the real content-type. Adding this additional header would look like this:
These 2 simple steps will provide additional protection against content-type sniffing issues.
An important note to mention here is that while this is a useful protection, not all browsers have implemented it. As of this writing (3/6/2012), only Chrome and IE support this protection (though NoScript does apparently add the protection to Firefox). Even though it won’t save all your users, it’s a useful mechanism to provide even more assurance for your users.