Where is x-content-type-options: nosniff coming from?

Question

I am using express 4.x with node 4.4.3. The web server is nginx and I am running a http server module in node - for which I am using nginx as a reverse proxy (using 'upstream'). I see the below response header when I inspect it in browser console

x-content-type-options: nosniff

I have thoroughly checked my nginx conf file for this setting / header but it isn't there. Wonder if I could get some pointers as to where it might be coming from? And when I add add_header X-Content-Type-Options nosniff; in nginx.conf then I see the above appear twice in the reponse headers as shown below

X-Content-Type-Options:nosniff
X-Content-Type-Options:nosniff

Wonder what's causing this. Please let me know if any further information is needed. Thanks

Here's my node installed modules folder contents

Answer 1

This is probably coming from a package installed in your express application. You should check the package.json file. Look for the dependencies part listing all the packages installed.

Helmet is typically one of the packages adding the X-Content-Type-Options:nosniff header.

Edit: according to your list of dependencies the most probable solution is that you return 'jsonp' content with Express. In this case Express will add the X-Content-Type-Options header when no Content-Type header is set by the user (see the response.js file at line 289 in node_modules/express/lib). It could also come from one or another dependency used by Express like 'finalhandler', 'send' or 'serve-static' (see there for Express' dependencies list) but it is hard to be sure without debugging your whole application.