Overview
Browsers sometimes try to guess the content type of a file (e.g., treating a .txt file as .js) if the Content-Type header is missing or incorrect. This is called 'MIME sniffing' and can be exploited by attackers to execute malicious code.
The 'nosniff' Directive
Setting X-Content-Type-Options: nosniff tells the browser to strictly follow the Content-Type header provided by the server. If the server says a file is a plain text file, the browser will not try to execute it as a script.
Importance
This header is a simple but important defense against 'drive-by download' attacks and other exploits that rely on confusing the browser about a file's purpose.