{"id":17091,"library":"dont-sniff-mimetype","title":"Don't Sniff Mimetype Middleware","description":"This package provides a small, focused Express/Connect middleware designed to set the `X-Content-Type-Options` HTTP header to `nosniff`. This header is a crucial client-side security measure that prevents browsers from \"sniffing\" or inferring the MIME type of a response, thereby enforcing the `Content-Type` header explicitly sent by the server. Without it, browsers might execute files (like HTML or JavaScript) that are incorrectly served with a generic MIME type (e.g., `text/plain`), leading to cross-site scripting (XSS) or other content-based attacks. The current stable version is 1.1.0, which was last published in 2019, indicating a highly mature and stable, but infrequently updated, codebase. It is a standalone component of the broader Helmet.js suite, which includes this functionality by default. Its key differentiator is offering granular control over this specific security header without deploying the entire Helmet.js bundle.","status":"active","version":"1.1.0","language":"javascript","source_language":"en","source_url":"git://github.com/helmetjs/dont-sniff-mimetype","tags":["javascript","helmet","security","express","connect","mimetype","x-content-type-options","typescript"],"install":[{"cmd":"npm install dont-sniff-mimetype","lang":"bash","label":"npm"},{"cmd":"yarn add dont-sniff-mimetype","lang":"bash","label":"yarn"},{"cmd":"pnpm add dont-sniff-mimetype","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The package's primary and documented usage is CommonJS `require()` due to its publication date. While Node.js may interoperate with ESM `import`, explicit ESM support is not guaranteed for this older version.","wrong":"import dontSniffMimetype from 'dont-sniff-mimetype';","symbol":"dontSniffMimetype","correct":"const dontSniffMimetype = require('dont-sniff-mimetype');"},{"note":"The imported `dontSniffMimetype` is a factory function that returns the actual middleware. It must be invoked with `()`.","wrong":"app.use(dontSniffMimetype);","symbol":"middleware function","correct":"app.use(dontSniffMimetype());"}],"quickstart":{"code":"import express from 'express';\nimport dontSniffMimetype from 'dont-sniff-mimetype';\n\nconst app = express();\n\n// Apply the X-Content-Type-Options: nosniff header to all responses\napp.use(dontSniffMimetype());\n\napp.get('/', (req, res) => {\n  res.set('Content-Type', 'text/html');\n  res.send('<h1>Hello! MIME sniffing is prevented.</h1><script>console.log(\"This script runs because it's HTML, but if a JS file was served as text/plain, it would be blocked.\");</script>');\n});\n\napp.get('/untrusted.txt', (req, res) => {\n  // Serve a 'text' file that looks like JavaScript, but is explicitly text/plain\n  // With 'nosniff', browsers will not execute this as script.\n  res.set('Content-Type', 'text/plain');\n  res.send('alert(\"This should not execute as JavaScript!\"); console.log(\"MIME sniffed prevented for untrusted.txt\");');\n});\n\napp.listen(3000, () => {\n  console.log('Server running on http://localhost:3000');\n  console.log('Visit / to see HTML. Visit /untrusted.txt and check headers/console.');\n});","lang":"javascript","description":"Demonstrates how to apply the `dont-sniff-mimetype` middleware to an Express application, showing how it sets the `X-Content-Type-Options: nosniff` header and prevents a browser from executing an incorrectly typed script."},"warnings":[{"fix":"Remove `dont-sniff-mimetype` if `helmet` is already in use and configured to set this header.","message":"If you are already using the full `helmet` package (e.g., `app.use(helmet())`), this `dont-sniff-mimetype` middleware is redundant. Helmet includes `X-Content-Type-Options: nosniff` by default.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Consider using the full `helmet` package for a more actively maintained and comprehensive security solution, or ensure you understand the implications of using an unmaintained package if adopting this one directly.","message":"This package is very old, with its last update occurring in 2019. While the underlying security header remains relevant, the package itself receives minimal to no active maintenance.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Ensure critical assets are always served with the correct `Content-Type` header from the server, as `nosniff` acts as a second line of defense, not a primary fix for incorrect server configurations. Regular testing across target browsers is recommended.","message":"While the `X-Content-Type-Options: nosniff` header is widely supported by modern browsers (Chrome, Edge, Firefox 50+, IE 8+, Safari 11+), older or less common browsers might not fully respect it, potentially still attempting MIME sniffing.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Call the imported function when using it as middleware: `app.use(dontSniffMimetype());`","cause":"The `dont-sniff-mimetype` module exports a function that must be called to produce the middleware. It's not the middleware itself.","error":"TypeError: dontSniffMimetype is not a function"},{"fix":"Verify that your server is sending the correct `Content-Type` header for all resources. For example, JavaScript files should be `application/javascript`, not `text/plain`. If the resource truly isn't meant to be executable, no fix is needed; the package is preventing a potential vulnerability.","cause":"This error indicates `dont-sniff-mimetype` is working as intended. The browser received a resource with `X-Content-Type-Options: nosniff` and an `Content-Type` header (e.g., `text/plain`) that doesn't permit execution (e.g., for JavaScript).","error":"Refused to execute script from '<URL>' because its MIME type ('<incorrect-type>') is not executable, and strict MIME type checking is enabled."},{"fix":"Ensure `app.use(dontSniffMimetype());` is called early in your middleware chain, before any routes that might send responses without this header. Inspect network requests in developer tools to confirm the header is present.","cause":"The middleware was not correctly applied to the Express/Connect application, or it was overridden by subsequent middleware.","error":"Server responses do not include 'X-Content-Type-Options: nosniff' header."}],"ecosystem":"npm","meta_description":null}