diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/BasicServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/BasicServlet.java
index 95e012b49e80c76e06259ef181db4c7a3a936ec2..0c85aae96214fb8eefb3cae1e269c6d67fdcee06 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/BasicServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/BasicServlet.java
@@ -378,7 +378,7 @@ class BasicServlet extends HttpServlet
     {   
         if (content.getContentType()!=null && response.getContentType()==null)
             response.setContentType(content.getContentType());
-        
+        response.setHeader("X-Content-Type-Options", "nosniff");
         long lml = content.getLastModified();
         if (lml > 0)
             response.setDateHeader("Last-Modified",lml);
@@ -394,7 +394,6 @@ class BasicServlet extends HttpServlet
         long ct = content.getCacheTime();
         if (ct>=0)
             response.setHeader("Cache-Control", "public, max-age=" + ct);
-
     }
 
     /* ------------------------------------------------------------ */
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 754ea81487b0fd14b23e47e91b30b77e0acad5b7..74688f2c726d8fa2a9db497c6681c21920710db5 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -379,6 +379,7 @@ public class I2PSnarkServlet extends BasicServlet {
         resp.setHeader("Pragma", "no-cache");
         resp.setHeader("X-Frame-Options", "SAMEORIGIN");
         resp.setHeader("X-XSS-Protection", "1; mode=block");
+        resp.setHeader("X-Content-Type-Options", "nosniff");
     }
 
     private void writeMessages(PrintWriter out, boolean isConfigure, String peerString) throws IOException {
diff --git a/apps/i2ptunnel/jsp/edit.jsp b/apps/i2ptunnel/jsp/edit.jsp
index 06eeee3714852615121830e80dd42a1368e5af30..21fac1fc36b625c3f9618f44c93c15f8062f7dd8 100644
--- a/apps/i2ptunnel/jsp/edit.jsp
+++ b/apps/i2ptunnel/jsp/edit.jsp
@@ -5,6 +5,7 @@
     // edit pages need script for the delete button 'are you sure'
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %><%@page pageEncoding="UTF-8"
 %><%@page trimDirectiveWhitespaces="true"
diff --git a/apps/i2ptunnel/jsp/index.jsp b/apps/i2ptunnel/jsp/index.jsp
index 9e2c06492259731dd01f761743c8a865ef904442..bb099231c57d7e51fe35504e9e897c0ac60fde5b 100644
--- a/apps/i2ptunnel/jsp/index.jsp
+++ b/apps/i2ptunnel/jsp/index.jsp
@@ -8,6 +8,7 @@
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %><%@page pageEncoding="UTF-8"
 %><%@page trimDirectiveWhitespaces="true"
diff --git a/apps/i2ptunnel/jsp/wizard.jsp b/apps/i2ptunnel/jsp/wizard.jsp
index fefd8a8772ec46bd42ff998aa1912c5374b5fe24..56c6c528a1878bf2bbf531ff003e0b7528090833 100644
--- a/apps/i2ptunnel/jsp/wizard.jsp
+++ b/apps/i2ptunnel/jsp/wizard.jsp
@@ -8,6 +8,7 @@
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %><%@page pageEncoding="UTF-8"
 %><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
diff --git a/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/IdenticonServlet.java b/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/IdenticonServlet.java
index 79145cb984e9a456a26c647d87ca61ca42d369a0..90cc702b9a665507972b37063db317020b6a4b9a 100644
--- a/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/IdenticonServlet.java
+++ b/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/IdenticonServlet.java
@@ -166,6 +166,7 @@ public class IdenticonServlet extends HttpServlet {
 
 			// return image bytes to requester
 			response.setContentType(IDENTICON_IMAGE_MIMETYPE);
+			response.setHeader("X-Content-Type-Options", "nosniff");
 			response.setContentLength(imageBytes.length);
 			response.getOutputStream().write(imageBytes);
 		}
diff --git a/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/QRServlet.java b/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/QRServlet.java
index bce1a12edefcd35f79acaee9ef466db4a487f434..e11f8d62729d1e1c290f9b2bc9444dcba510dc24 100644
--- a/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/QRServlet.java
+++ b/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/QRServlet.java
@@ -191,6 +191,7 @@ public class QRServlet extends HttpServlet {
 
 			// return image bytes to requester
 			response.setContentType(IDENTICON_IMAGE_MIMETYPE);
+			response.setHeader("X-Content-Type-Options", "nosniff");
 			response.setContentLength(imageBytes.length);
 			response.getOutputStream().write(imageBytes);
 		}
diff --git a/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/RandomArtServlet.java b/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/RandomArtServlet.java
index 2ba8f460b4b78812bfd2f271bd1f5f702ed0373e..83dd20b75e313a1ad9641d581f00fc95b58969e3 100644
--- a/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/RandomArtServlet.java
+++ b/apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/RandomArtServlet.java
@@ -62,6 +62,7 @@ public class RandomArtServlet extends HttpServlet {
 					response.setContentType("text/plain");
 					response.setCharacterEncoding("UTF-8");
 				}
+				response.setHeader("X-Content-Type-Options", "nosniff");
 				buf.append(RandomArt.gnutls_key_fingerprint_randomart(h.getData(), "SHA", 256, "", true, html));
 				if (html)
 					buf.append("</body></html>");
diff --git a/apps/routerconsole/java/src/net/i2p/router/web/CodedIconRendererServlet.java b/apps/routerconsole/java/src/net/i2p/router/web/CodedIconRendererServlet.java
index 1d71421bf11bac8f486a19d8a5de4fce4f80489d..c2be82a9d9538855491a1a2e50c163b4d3d02964 100644
--- a/apps/routerconsole/java/src/net/i2p/router/web/CodedIconRendererServlet.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/CodedIconRendererServlet.java
@@ -41,6 +41,7 @@ public class CodedIconRendererServlet extends HttpServlet {
          //set as many headers as are common to any outcome
          
          srs.setContentType("image/png");
+         srs.setHeader("X-Content-Type-Options", "nosniff");
          srs.setDateHeader("Expires", I2PAppContext.getGlobalContext().clock().now() + 86400000l);
          srs.setHeader("Cache-Control", "public, max-age=86400");
          OutputStream os = srs.getOutputStream();
diff --git a/apps/routerconsole/jsp/css.jsi b/apps/routerconsole/jsp/css.jsi
index edae862400f786e0f7c9dc343efc9edf9f900ed0..c49a15ea62b4accac142ce7a40c91a24a9a999f4 100644
--- a/apps/routerconsole/jsp/css.jsi
+++ b/apps/routerconsole/jsp/css.jsi
@@ -34,6 +34,7 @@
       response.setHeader("X-Frame-Options", "SAMEORIGIN");
       response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
       response.setHeader("X-XSS-Protection", "1; mode=block");
+      response.setHeader("X-Content-Type-Options", "nosniff");
    }
 
    String conNonceParam = request.getParameter("consoleNonce");
diff --git a/apps/routerconsole/jsp/flags.jsp b/apps/routerconsole/jsp/flags.jsp
index 7dcfa503980df73c9a5a6506b50f0bd01c4dcdc1..b6dcf8184f29c3ecb57b0eaca704fa9e04c17f6d 100644
--- a/apps/routerconsole/jsp/flags.jsp
+++ b/apps/routerconsole/jsp/flags.jsp
@@ -31,7 +31,8 @@ if (c != null &&
         response.setDateHeader("Last-Modified", lastmod);
         // cache for a day
         response.setDateHeader("Expires", net.i2p.I2PAppContext.getGlobalContext().clock().now() + 86400000l);
-        response.setHeader("Cache-Control", "public, max-age=86400");
+        response.setHeader("Cache-Control", "public, max-age=604800");
+        response.setHeader("X-Content-Type-Options", "nosniff");
     }
     long length = ffile.length();
     if (length > 0)
diff --git a/apps/routerconsole/jsp/viewhistory.jsp b/apps/routerconsole/jsp/viewhistory.jsp
index f4a2cbbffe75714074f9fccd77019b5ea0b09f51..41ae6de3bd1339f79416b7e553f2ba9e48081e12 100644
--- a/apps/routerconsole/jsp/viewhistory.jsp
+++ b/apps/routerconsole/jsp/viewhistory.jsp
@@ -7,6 +7,7 @@
  * Do not tag this file for translation.
  */
 response.setContentType("text/plain");
+response.setHeader("X-Content-Type-Options", "nosniff");
 String base = net.i2p.I2PAppContext.getGlobalContext().getBaseDir().getAbsolutePath();
 try {
     net.i2p.util.FileUtil.readFile("history.txt", base, response.getOutputStream());
diff --git a/apps/routerconsole/jsp/viewstat.jsp b/apps/routerconsole/jsp/viewstat.jsp
index 6a7907ebcb9d569a54bf6c2bfb652fe2fa1a2cd7..ce44c5cb7979ccd0405a19cfb6352c1cc4c016d4 100644
--- a/apps/routerconsole/jsp/viewstat.jsp
+++ b/apps/routerconsole/jsp/viewstat.jsp
@@ -35,6 +35,7 @@ if ( !rendered && ((rs != null) || fakeBw) ) {
     if ( (rate != null) || (fakeBw) ) {
       java.io.OutputStream cout = response.getOutputStream();
       String format = request.getParameter("format");
+      response.setHeader("X-Content-Type-Options", "nosniff");
       if ("xml".equals(format)) {
         if (!fakeBw) {
           response.setContentType("text/xml");
diff --git a/apps/routerconsole/jsp/viewtheme.jsp b/apps/routerconsole/jsp/viewtheme.jsp
index b60a6b447dd83e2f21df51bfe584dbe6a436a7b2..a30ec4fb6394b50aaf7ef84f2eb6b77d6bd4b76d 100644
--- a/apps/routerconsole/jsp/viewtheme.jsp
+++ b/apps/routerconsole/jsp/viewtheme.jsp
@@ -21,6 +21,7 @@ if (uri.endsWith(".css")) {
 } else if (uri.endsWith(".svg")) {
   response.setContentType("image/svg+xml");
 }
+response.setHeader("X-Content-Type-Options", "nosniff");
 /*
  * User or plugin themes
  * If the request is for /themes/console/foo/bar/baz,
diff --git a/apps/routerconsole/jsp/xhr1.jsp b/apps/routerconsole/jsp/xhr1.jsp
index b48e824421ae4947e5ed8f658bd5c67f1a8cf978..06458410b6b71046d3dfa4a8f8357c7d7866617c 100644
--- a/apps/routerconsole/jsp/xhr1.jsp
+++ b/apps/routerconsole/jsp/xhr1.jsp
@@ -8,6 +8,7 @@
    if (request.getParameter("i2p.contextId") != null) {
        session.setAttribute("i2p.contextId", request.getParameter("i2p.contextId"));
    }
+   response.setHeader("X-Content-Type-Options", "nosniff");
 %>
 <jsp:useBean class="net.i2p.router.web.CSSHelper" id="intl" scope="request" />
 <jsp:setProperty name="intl" property="contextId" value="<%=(String)session.getAttribute(\"i2p.contextId\")%>" />
diff --git a/apps/susidns/src/jsp/addressbook.jsp b/apps/susidns/src/jsp/addressbook.jsp
index 14106f87d0e92c0c07ade577e1f65aac52c729d0..eb940a187b090b6979adc38ee9a4eec776a628d4 100644
--- a/apps/susidns/src/jsp/addressbook.jsp
+++ b/apps/susidns/src/jsp/addressbook.jsp
@@ -30,6 +30,7 @@
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
     response.setHeader("Content-Security-Policy", "default-src 'self'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %>
 <%@page pageEncoding="UTF-8"%>
diff --git a/apps/susidns/src/jsp/config.jsp b/apps/susidns/src/jsp/config.jsp
index 27e57a6e9099f9d451f2fb9db54b718f2e3349ac..e6dcbe8dcdc555d0ab3ad137a2f787b3c1d4ae23 100644
--- a/apps/susidns/src/jsp/config.jsp
+++ b/apps/susidns/src/jsp/config.jsp
@@ -30,6 +30,7 @@
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %>
 <%@page pageEncoding="UTF-8"%>
diff --git a/apps/susidns/src/jsp/details.jsp b/apps/susidns/src/jsp/details.jsp
index b0663eb5f051b8ae45ff1cd6eeeb787f0d56fc71..bf5a3fa436e75048fd3a3ca4e141531a553b158c 100644
--- a/apps/susidns/src/jsp/details.jsp
+++ b/apps/susidns/src/jsp/details.jsp
@@ -27,6 +27,7 @@
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %>
 <%@page pageEncoding="UTF-8"%>
diff --git a/apps/susidns/src/jsp/export.jsp b/apps/susidns/src/jsp/export.jsp
index 39440ecf4254eb09107c05c5d3bbe505b537664e..d100cd7628873cbb1aa56ff20d27e37fb48c301c 100644
--- a/apps/susidns/src/jsp/export.jsp
+++ b/apps/susidns/src/jsp/export.jsp
@@ -23,6 +23,7 @@
     // http://www.crazysquirrel.com/computing/general/form-encoding.jspx
     if (request.getCharacterEncoding() == null)
         request.setCharacterEncoding("UTF-8");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 %>
 <%@page pageEncoding="UTF-8"%>
 <%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susidns/src/jsp/index.jsp b/apps/susidns/src/jsp/index.jsp
index f4b57eba3c2a4531f2afa89a76f5a6caaa95bf34..5dbc268c7aaf0663af4ea5954edf29ac8c5ca723 100644
--- a/apps/susidns/src/jsp/index.jsp
+++ b/apps/susidns/src/jsp/index.jsp
@@ -30,6 +30,7 @@
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %>
 <%@page pageEncoding="UTF-8"%>
diff --git a/apps/susidns/src/jsp/subscriptions.jsp b/apps/susidns/src/jsp/subscriptions.jsp
index 25ec212612482c268884f1cb590c5277c5969423..ced96834f656ceae86ffa8c87f8251eaaf7384a4 100644
--- a/apps/susidns/src/jsp/subscriptions.jsp
+++ b/apps/susidns/src/jsp/subscriptions.jsp
@@ -30,6 +30,7 @@
     response.setHeader("X-Frame-Options", "SAMEORIGIN");
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %>
 <%@page pageEncoding="UTF-8"%>
diff --git a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
index bdcab5e89d9b3857512f37a4f7c5bc09160eac88..53ef8fd4f2f3f59ff08ef28353132a08a8fa6202 100644
--- a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
+++ b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
@@ -1593,6 +1593,7 @@ public class WebMail extends HttpServlet
                 response.setHeader("X-Frame-Options", "SAMEORIGIN");
                 response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
                 response.setHeader("X-XSS-Protection", "1; mode=block");
+		response.setHeader("X-Content-Type-Options", "nosniff");
 		RequestWrapper request = new RequestWrapper( httpRequest );
 		
 		SessionObject sessionObject = null;