security
How to fix: X-Content-Type-Options nosniff
OWASP A05
Why this matters
Browsers will sometimes guess ("sniff") the type of a response and execute it as a script even if your server said it was text. nosniff shuts that down — it's a one-line defence against a classic XSS vector.
Background
X-Content-Type-Options: nosniff stops browsers from guessing the MIME type of a response — preventing the case where a .jpg endpoint that actually returns HTML gets interpreted as a script. Cheap defence; should be on every response.
References
MDN · OWASP A05 · MIME-sniffing defence
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
add_header X-Content-Type-Options "nosniff" always;
apache
Header always set X-Content-Type-Options "nosniff"
cloudflare
Transform Rules → response header → X-Content-Type-Options: nosniff.
wordpress
Headers Security Advanced sets it; or add via wp-config.php / functions.php.
flask
Flask-Talisman default.
express
helmet.noSniff()
rails
Default in Rails secure headers.
Verify it's working
curl -sI https://your-site/ | grep -i 'x-content-type-options:'
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →