Refused to execute script because its MIME type ('application/gzip') is not executable, and strict MIME type checking is enabled

Question

I am trying to setup helmet security on my react application production server. But whenever I try hitting the URL. I get an error saying Refused to execute script from 'http://localhost:3000/static/js/app.378bd8b8eee930fb268c.js' because its MIME type ('application/gzip') is not executable, and strict MIME type checking is enabled.

For compression build I am using compression-webpack-plugin.

The compression build is working perfectly fine when I remove the helmet. Helmet Plugin Setting:

{"xssFilter": {"setOnOldIE": true}}

Answer 1

tl;dr: /static/js/app.378bd8b8eee930fb268c.js is being sent with a Content-Type of application/gzip but it should be application/javascript.

---

Author of Helmet here. This is happening because of the X-Content-Type-Options header, which Helmet automatically sets to nosniff. This tells browsers not to infer the type of the file, and to trust the Content-Type that the server sets.

As you can see in your screenshot, /static/js/app.378bd8b8eee930fb268c.js has a Content-Type of application/gzip. The browser refuses to interpret it as JavaScript because its Content-Type isn't application/javascript—that's the X-Content-Type-Options header in action.

You can fix your problem by fixing that—get your JavaScript files' Content-Types to be application/javascript, not application/gzip.