As of Drupal 7.40 the default htaccess file has changed (#462950: Mitigate the security risks that come from IE, Chrome and other browsers trying to sniff the mime type).
However, when apache does not have mod_headers enabled (or another web server is used), anonymous page caching is *enabled*, and the page is served from cache, the x-content-type-options nosniff is not added to the HTTP response.
It seems the issue is within drupal_serve_page_from_cache, as the line below does not contain "x-content-type-options":
if (in_array($name_lower, array('content-location', 'expires', 'cache-control', 'vary')) && !isset($hook_boot_headers[$name_lower])) {
drupal_add_http_header($name, $value);
unset($cache->data['headers'][$name]);
}
Steps to reproduce:
1) Disable apache mod_headers
2) Enable anonymous page caching
3) Browse to any node ("X-Drupal-Cache" is "MISS" and "X-Content-Type-Options nosniff" exists - it comes from drupal_page_header)
4) Browse again to same node ("X-Drupal-Cache" is "HIT" and "X-Content-Type-Options nosniff" does NOT exist - it comes from drupal_serve_page_from_cache)