This header protects against so called browser sniffing. When the browser itself determines the type of the file instead of obeying the defined type in the Content-Type header. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks.
Blocking the browser from guessing the filetype, also known as MIME-sniffing, based on the file content instead of the specified Content-Type. This will stop the browser from accidently execute a disguised malicious file but it only applies to files where the expected types is style or script.
This header has only one directive to add:
When it’s applied the browser will honor the Content-Type header specified for the file and block the request instead of executing it.
Although the header doesn’t have any drawbacks, only about 16% is using it*. Test to see if you have it on your site:
Adding it can look like this:
<add name="X-Content-Type-Options" value="nosniff"/>
Read more about: How to add headers to your .net site
Next up in the Security Headers series: Strict-Transport-Security