Configuring X-Content-Type-Options¶

There are two settings:

Configuration Resulting header
enabled=”false” None
enabled=”true” X-Content-Type-Options: nosniff

In web.config:

<x-Content-Type-Options enabled="false"/>

NWebsec.Owin (ASP.NET 4): Register the middleware in the OWIN startup class:

using NWebsec.Owin;
...
public void Configuration(IAppBuilder app)
{
    app.UseXContentTypeOptions();
}

Or as an MVC attribute (which defaults to true):

[XContentTypeOptions]
[XContentTypeOptions(Enabled = false)]

The header is omitted for redirects.