HTTP headers / response header
X-Content-Type-Options: nosniff
Forbids browsers from MIME-sniffing the body into a different type than Content-Type declares — blocks a class of XSS via mislabeled uploads.
There is exactly one valid value (nosniff); set it everywhere, there is no downside.
The fastest way to see what X-Content-Type-Options is actually doing is to send the request and read both sides raw — ReqPad shows auto-generated and custom headers for every request, on all six protocols, with history. Related references: status codes · WWW-Authenticate · Content-Encoding · Transfer-Encoding · ETag · Last-Modified · Expires
Build the request, send it, read raw headers and timing — from your iPhone. Free to start.