nis2
How to fix: X-Content-Type-Options (NIS2 technical measure)
NIS2 Art. 21(2)(a)
Why this matters
MIME-sniffing prevention is in every mainstream hardening guide. Missing it suggests the security baseline hasn't been applied — an NIS2 hygiene red flag rather than a critical hole.
Background
X-Content-Type-Options: nosniff stops browsers from MIME-type sniffing a response — a class of XSS attacks where a txt response gets sniffed as HTML and executed. NIS2 baseline technical measure.
References
NIS2 Art. 21(2)(a) · MDN: X-Content-Type-Options
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
add_header X-Content-Type-Options "nosniff" always;
apache
Header always set X-Content-Type-Options "nosniff"
cloudflare
Transform Rules → Modify Response Header.
wordpress
WP Headers Security Advanced plugin.
flask
@app.after_request: resp.headers.setdefault('X-Content-Type-Options', 'nosniff')
express
helmet.noSniff()
rails
Rails sets this by default in development. Confirm in production env.
Verify it's working
curl -sI https://your-site/ | grep -i x-content-type-options — should be 'nosniff'.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →