"Don't infer the MIME type" middleware

Some browsers will try to "sniff" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with <script src="file.txt"></script>. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript. There are some other vulnerabilities, too.

This middleware to keep Chrome, Opera, and IE from doing this sniffing (and Firefox soon). The following example sets the X-Content-Type-Options header to its only option, nosniff:

var nosniff = require('dont-sniff-mimetype')
app.use(nosniff())

MSDN has a good description of how browsers behave when this header is sent.