{ }
DevToolsLabs
Back to all tools

MIME Types & Security Headers Hub

Secure your web applications and configure server responses with confidence. Use this interactive hub to find definitions, best practices, and real-world examples of headers and content types.

100% Private & Secure

This tool runs completely inside your browser using client-side WebAssembly and JS. Zero data is ever sent to our servers.

Content-Security-Policy (CSP)

Security

Prevents XSS by defining which resources the browser is allowed to load.

Pro Exampledefault-src 'self'; script-src 'self' https://trusted.com

Strict-Transport-Security (HSTS)

Security

Tells the browser to only communicate with the server over HTTPS.

Pro Examplemax-age=63072000; includeSubDomains; preload

X-Content-Type-Options

Security

Prevents MIME-sniffing by the browser.

Pro Examplenosniff

X-Frame-Options

Security

Controls whether your site can be embedded in an <iframe> (Clickjacking protection).

Pro ExampleDENY / SAMEORIGIN

Referrer-Policy

Security

Controls how much referrer information is sent with requests.

Pro Exampleno-referrer-when-downgrade

application/json

MIME Type

Standard format for API responses and configuration data.

text/html

MIME Type

Standard format for web pages.

image/svg+xml

MIME Type

Scalable Vector Graphics format.

application/pdf

MIME Type

Portable Document Format.

multipart/form-data

MIME Type

Used for submitting forms with binary file uploads.

application/javascript

MIME Type

Standard format for executable scripts.

Cache-Control

Caching

Directive for caching mechanisms in both browsers and proxies.

Pro Examplepublic, max-age=31536000, immutable

ETag

Caching

A unique identifier for a specific version of a resource.

Pro ExampleW/"xy-12345"

How to use this tool

  1. Filter by category (Security, MIME Type, Caching) using the top buttons
  2. Search for a specific header or type (e.g., 'CSP' or 'JSON')
  3. Copy the pro-grade examples directly into your server configuration files

Example Usage

Input
CSP
Output
Content-Security-Policy: default-src 'self'...
Input
nosniff
Output
X-Content-Type-Options: nosniff

When to use this tool

  • Configuring Nginx or Apache security headers
  • Setting correct Content-Type for API responses
  • Auditing website security posture

Frequently Asked Questions

Why is the 'nosniff' header important?

The 'X-Content-Type-Options: nosniff' header prevents the browser from trying to guess the content type of a resource, which could lead to security vulnerabilities if an attacker manages to upload a file with a misleading extension.

What does CSP protect against?

Content Security Policy (CSP) is primarily designed to mitigate Cross-Site Scripting (XSS) attacks by strictly controlling which resources are allowed to be loaded and executed by the browser.

More Developer Tools

HTTP Header ParserHTTP Status Codes

Security Best Practice

"Default to deny. Start with a strict Content-Security-Policy and only whitelist the domains and sources you absolutely trust. A secure header configuration is the first line of defense in modern web infrastructure."