What is MIME sniffing and why is it dangerous?

MIME sniffing is when a browser ignores the declared Content-Type and guesses the type from the bytes. An attacker can upload a file labelled as an image that actually contains HTML or script, and a sniffing browser may execute it. Sending X-Content-Type-Options: nosniff disables this guessing.

Why is image/svg+xml marked high risk?

SVG is XML and can contain inline script tags and event handlers. When served inline with an image type, a hostile SVG can run JavaScript in your origin, making it a stored XSS vector. Sanitise SVG uploads or serve them as downloads.

When should I use application/octet-stream?

Use it for arbitrary binary downloads you do not want the browser to render, paired with Content-Disposition: attachment and nosniff. Be aware that without nosniff some browsers will still sniff octet-stream into HTML.

Does the correct Content-Type matter if I also set nosniff?

Yes. Even with nosniff, some types require the exact Content-Type to work, such as application/wasm for streaming compilation and ES modules. Setting the right type and nosniff together is the safe combination.

Is my input sent to a server?

No. The lookup runs against a registry bundled into the page and executes entirely in your browser. Nothing you type is transmitted.

MIME Type Inspector & Security Risk Checker

The Content-Type header tells the browser how to treat a response, and getting it wrong is a recurring source of security bugs. A file served with the wrong type can be sniffed into something executable, and the right type is sometimes required for a feature to work at all. This tool maps any MIME type or file extension to its security profile so you can serve it safely.

How it works

The tool matches your input against a bundled registry, first as an exact MIME type, then as a file extension, then as a partial type name. For the matched entry it reports:

Canonical Content-Type — the value to put in the header.
Sniffability — whether browsers may MIME-sniff this type when nosniff is absent.
Risk level — high for executable or scriptable types (HTML, JavaScript, SVG), lower for inert data and raster images.
Recommended header — X-Content-Type-Options: nosniff, which disables content sniffing across the board.
CSP directive — which Content-Security-Policy directive governs loading this type, for example script-src for JavaScript and img-src for images.

Example and tips

Look up .svg and the tool flags it high risk: SVG can embed <script>, so a hostile upload served inline runs in your origin. The guidance is to sanitise it or serve it with Content-Disposition: attachment. By contrast image/png is low risk, yet the tool still recommends nosniff so a mislabelled HTML payload cannot be sniffed into a document.

A safe default for almost every response is to set the correct Content-Type and always add X-Content-Type-Options: nosniff. Reserve inline rendering for types you fully control, and serve untrusted uploads as attachments.