To fix this, add the response header X-Content-Type-Options: nosniff to all responses. It stops browsers from MIME-sniffing and executing files as a type you did not intend. It is safe to add site-wide. Re-scan to confirm.
Without X-Content-Type-Options: nosniff, browsers may guess a file's type and, for example, treat an uploaded image as JavaScript — a route to attacks. The fix is a single, low-risk header applied everywhere. This guide shows how on each platform.
Check your website
See how your site handles how to fix missing x-content-type-options — free, no account needed.
Business impact
This header closes a subtle attack vector where uploaded or user-supplied files could be executed as scripts. It is one of the safest, fastest hardening steps you can take, with essentially no downside, and it demonstrates a well-secured site to auditors and security-aware customers.
Why this happens
It is missing because it is not a default. The value nosniff instructs browsers to trust the declared Content-Type rather than sniffing content. It is almost always safe to enable; the only caveat is ensuring your server sends correct Content-Type headers for its files.
How to confirm the issue
Manually: check DevTools → Network for x-content-type-options: nosniff, or run curl -I https://yoursite.com.
With Plexa Trust: run a scan for "Missing X-Content-Type-Options" and re-scan after the fix.
Step-by-step fix
Add
X-Content-Type-Options: nosniffto all responses.Ensure your server sends correct Content-Type headers for assets.
Deploy site-wide and re-scan to confirm.
Platform-specific fixes
Cloudflare
Rules → Transform Rules → Modify Response Header.
Add header
X-Content-Type-Options=nosniff. Save.
Apache
Header always set X-Content-Type-Options "nosniff"
Reload Apache.
Nginx
add_header X-Content-Type-Options "nosniff" always;
Run
nginx -tand reload.
WordPress
Enable the nosniff option in a security-headers plugin, or add it in server config.
How to verify the fix
Apply it site-wide; it is safe and universally recommended.
Make sure Content-Type headers are accurate for your files.
Re-scan and confirm the finding is cleared.
Common mistakes
Assuming it is risky — nosniff is safe for virtually all sites.
Serving assets with wrong Content-Type headers, then blaming nosniff.
Setting it on only some responses.
Frequently asked questions
What does nosniff do?
It tells the browser to trust the declared Content-Type and not guess, preventing files being interpreted as an unintended (and dangerous) type.
Is it safe to enable?
Yes, for almost every site. The only requirement is that your server sends correct Content-Type headers, which it should anyway.
What attack does it prevent?
MIME-sniffing attacks, where content such as an uploaded file is executed as script because the browser guessed its type.
Does it affect performance?
No. It is a tiny response header with no performance cost.
Could it break my site?
Only if you rely on the browser guessing types because your Content-Type headers are wrong — fix those instead.
Where do I set it?
Site-wide at your web server or CDN so every response includes it.
Is it still recommended?
Yes. It remains a baseline security header recommended by OWASP and browser vendors.
How do I confirm it worked?
Re-scan with Plexa Trust and verify the header via curl or DevTools.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan