Links

MIME type sniffing

MIME type sniffing is an operation conducted by many browsers. Each browser behaves differently on that matter, but overall, MIME sniffing is an action where they determine a page content type depending on that page content. This is can be dangerous as it could allow attackers to hide HTML code into a .jpg file, and have the visitor's browser interpret the page and execute client code (XSS) because the browser determined the file was HTML code instead of a JPG image.
The XCTO (X-Content-Type-Options) security header can be used to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed by the browser depending on the pages content. Websites that implement that security header with the nosniff directive must also include a valid Content-Type header in their responses.

Resources