HomeFix guides → X-Content-Type-Options nosniff

security

How to fix: X-Content-Type-Options nosniff

OWASP A05

Why this matters

Browsers will sometimes guess ("sniff") the type of a response and execute it as a script even if your server said it was text. nosniff shuts that down — it's a one-line defence against a classic XSS vector.

Background

X-Content-Type-Options: nosniff stops browsers from guessing the MIME type of a response — preventing the case where a .jpg endpoint that actually returns HTML gets interpreted as a script. Cheap defence; should be on every response.

References

MDN · OWASP A05 · MIME-sniffing defence

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
add_header X-Content-Type-Options "nosniff" always;
apache
Header always set X-Content-Type-Options "nosniff"
cloudflare
Transform Rules → response header → X-Content-Type-Options: nosniff.
wordpress
Headers Security Advanced sets it; or add via wp-config.php / functions.php.
flask
Flask-Talisman default.
express
helmet.noSniff()
rails
Default in Rails secure headers.

Verify it's working

curl -sI https://your-site/ | grep -i 'x-content-type-options:'

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →