MIME Sniffing

MIME sniffing (also called content sniffing or media type sniffing) is the browser behavior of inspecting the first bytes of an HTTP response to guess its format when the declared Content-Type header is missing, wrong, or generic. The practice dates to early Internet Explorer, which tried to render pages that lacked correct headers, and was later codified in the WHATWG mimesniff living standard so that competing browsers would at least guess in the same way. Sniffing uses magic numbers and byte patterns: a PNG file begins with the bytes `89 50 4E 47`, a JPEG with `FF D8 FF`, an HTML document often with `<!DOCTYPE` or `<html`. Heuristics extend to character encoding detection, which has its own history of bugs — Internet Explorer 7 could be coerced into executing scripts hidden in UTF-7-encoded responses because that encoding admits multiple representations of the same ASCII text. The security problem is straightforward. If a server lets users upload files and serves them with a benign or missing Content-Type, an attacker can upload a file that looks like an image to the upload check but contains HTML and JavaScript. A sniffing browser may then execute it in the origin's context, yielding cross-site scripting (XSS). The defense is the `X-Content-Type-Options: nosniff` HTTP response header, which instructs browsers to honor the declared type and refuse to second-guess it. Modern security guidance treats `nosniff` as a baseline header alongside Content-Security-Policy, and the WHATWG specification narrows the set of cases in which sniffing is allowed even without the header.