Skip to main content

Fix Guides

How to Fix Missing X-Content-Type-Options

Stop browsers guessing (and misinterpreting) your file types.

Quick fix

To fix this, add the response header X-Content-Type-Options: nosniff to all responses. It stops browsers from MIME-sniffing and executing files as a type you did not intend. It is safe to add site-wide. Re-scan to confirm.

Without X-Content-Type-Options: nosniff, browsers may guess a file's type and, for example, treat an uploaded image as JavaScript — a route to attacks. The fix is a single, low-risk header applied everywhere. This guide shows how on each platform.

Check your website

See how your site handles how to fix missing x-content-type-options — free, no account needed.

Business impact

This header closes a subtle attack vector where uploaded or user-supplied files could be executed as scripts. It is one of the safest, fastest hardening steps you can take, with essentially no downside, and it demonstrates a well-secured site to auditors and security-aware customers.

Why this happens

It is missing because it is not a default. The value nosniff instructs browsers to trust the declared Content-Type rather than sniffing content. It is almost always safe to enable; the only caveat is ensuring your server sends correct Content-Type headers for its files.

How to confirm the issue

Manually: check DevTools → Network for x-content-type-options: nosniff, or run curl -I https://yoursite.com.

With Plexa Trust: run a scan for "Missing X-Content-Type-Options" and re-scan after the fix.

Step-by-step fix

  1. Add X-Content-Type-Options: nosniff to all responses.

  2. Ensure your server sends correct Content-Type headers for assets.

  3. Deploy site-wide and re-scan to confirm.

Platform-specific fixes

Cloudflare

  1. Rules → Transform Rules → Modify Response Header.

  2. Add header X-Content-Type-Options = nosniff. Save.

Apache

  1. Header always set X-Content-Type-Options "nosniff"

  2. Reload Apache.

Nginx

  1. add_header X-Content-Type-Options "nosniff" always;

  2. Run nginx -t and reload.

WordPress

  1. Enable the nosniff option in a security-headers plugin, or add it in server config.

How to verify the fix

  • Apply it site-wide; it is safe and universally recommended.

  • Make sure Content-Type headers are accurate for your files.

  • Re-scan and confirm the finding is cleared.

Common mistakes

  • Assuming it is risky — nosniff is safe for virtually all sites.

  • Serving assets with wrong Content-Type headers, then blaming nosniff.

  • Setting it on only some responses.

Frequently asked questions

What does nosniff do?

It tells the browser to trust the declared Content-Type and not guess, preventing files being interpreted as an unintended (and dangerous) type.

Is it safe to enable?

Yes, for almost every site. The only requirement is that your server sends correct Content-Type headers, which it should anyway.

What attack does it prevent?

MIME-sniffing attacks, where content such as an uploaded file is executed as script because the browser guessed its type.

Does it affect performance?

No. It is a tiny response header with no performance cost.

Could it break my site?

Only if you rely on the browser guessing types because your Content-Type headers are wrong — fix those instead.

Where do I set it?

Site-wide at your web server or CDN so every response includes it.

Is it still recommended?

Yes. It remains a baseline security header recommended by OWASP and browser vendors.

How do I confirm it worked?

Re-scan with Plexa Trust and verify the header via curl or DevTools.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring