The Content-Type header tells the browser how to treat a response, and getting it wrong is a recurring source of security bugs. A file served with the wrong type can be sniffed into something executable, and the right type is sometimes required for a feature to work at all. This tool maps any MIME type or file extension to its security profile so you can serve it safely.
How it works
The tool matches your input against a bundled registry, first as an exact MIME type, then as a file extension, then as a partial type name. For the matched entry it reports:
- Canonical Content-Type — the value to put in the header.
- Sniffability — whether browsers may MIME-sniff this type when
nosniffis absent. - Risk level — high for executable or scriptable types (HTML, JavaScript, SVG), lower for inert data and raster images.
- Recommended header —
X-Content-Type-Options: nosniff, which disables content sniffing across the board. - CSP directive — which Content-Security-Policy directive governs loading this type, for example
script-srcfor JavaScript andimg-srcfor images.
Risk levels explained
Not all MIME types carry the same security risk. The tool classifies them into three tiers:
High risk — types that can contain or execute code:
text/html— directly rendered as a document; can contain inline scripts and event handlersimage/svg+xml— SVG is XML and supports<script>tags andonloadattributes; serving untrusted SVG inline is a stored XSS vectortext/javascript/application/javascript— executable script; always restrict withscript-srcin your CSPapplication/xhtml+xml— similar to HTML; parsed by the XML parser but can contain script
Medium risk — types that can embed or reference external resources:
text/css— CSS can useurl()imports and was historically exploitable for data exfiltration in older browserstext/xml/application/xml— XML parsers may resolve external entities (XXE) if not hardened
Low risk — inert binary or text data:
image/png,image/jpeg,image/webp— raster images parsed only by the image decoderapplication/pdf— sandboxed by the PDF viewerapplication/octet-stream— generic binary; browsers treat it as a download
MIME sniffing: when browsers ignore your header
MIME sniffing occurs when a browser examines the first bytes of a response to determine the actual type, ignoring the declared Content-Type. Internet Explorer popularised this behaviour; Chrome and Firefox maintain it in some cases for compatibility.
The classic attack: an attacker uploads a file with a .jpg extension but it begins with <html>. A sniffing browser that loads it inline may render it as HTML and execute any embedded script. Serving X-Content-Type-Options: nosniff in the response header tells the browser to trust your declared type and never guess.
The tool flags sniffable types so you know where this header is particularly important.
Practical examples
Serving user-uploaded SVG:
Content-Type: image/svg+xml
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none'
Content-Disposition: attachment; filename="upload.svg"
Serving as an attachment prevents inline rendering entirely; the strongest option for untrusted SVG.
Serving an API JSON response:
Content-Type: application/json
X-Content-Type-Options: nosniff
JSON cannot execute as HTML, so the main concern is that clients parse it correctly rather than treating it as plain text.
Serving a Web Worker or ES module:
Content-Type: text/javascript
X-Content-Type-Options: nosniff
Modules strictly require text/javascript; a wrong type (such as text/plain) causes a fetch failure even with a <script type="module"> tag.
A safe default for almost every response is to set the correct Content-Type and always add X-Content-Type-Options: nosniff. Reserve inline rendering for types you fully control, and serve untrusted uploads as attachments.