Headers

X-Content-Type-Options

Indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed.

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.

Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      xContentTypeOptions: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          xContentTypeOptions: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by xContentTypeOptions: false.

Default value

By default, Nuxt Security will set the following value for this header.

X-Content-Type-Options: nosniff

Available values

The xContentTypeOptions header can be configured with following values.

xContentTypeOptions: 'nosniff' | false

nosniff

Blocks a request if the request destination is of type style and the MIME type is not text/css, or of type script and the MIME type is not a JavaScript MIME type.

Strict-Transport-Security

Inform browsers that the site should only be accessed using HTTPS.

X-DNS-Prefetch-Control

Control how domain name resolutions is done by the browsers.