HomeFix guides → X-Content-Type-Options (NIS2 technical measure)

nis2

How to fix: X-Content-Type-Options (NIS2 technical measure)

NIS2 Art. 21(2)(a)

Why this matters

MIME-sniffing prevention is in every mainstream hardening guide. Missing it suggests the security baseline hasn't been applied — an NIS2 hygiene red flag rather than a critical hole.

Background

X-Content-Type-Options: nosniff stops browsers from MIME-type sniffing a response — a class of XSS attacks where a txt response gets sniffed as HTML and executed. NIS2 baseline technical measure.

References

NIS2 Art. 21(2)(a) · MDN: X-Content-Type-Options

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
add_header X-Content-Type-Options "nosniff" always;
apache
Header always set X-Content-Type-Options "nosniff"
cloudflare
Transform Rules → Modify Response Header.
wordpress
WP Headers Security Advanced plugin.
flask
@app.after_request: resp.headers.setdefault('X-Content-Type-Options', 'nosniff')
express
helmet.noSniff()
rails
Rails sets this by default in development. Confirm in production env.

Verify it's working

curl -sI https://your-site/ | grep -i x-content-type-options — should be 'nosniff'.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →