SecurityMedium

Missing X-Content-Type-Options header

The X-Content-Type-Options header is absent. Browsers may then interpret files with a different MIME type than declared.

Why it matters

An attacker who can upload a file (image, CSV) can execute it as JavaScript if the browser "sniffs" its content. nosniff blocks this vector.

How to fix

  1. 1

    Via .htaccess

    apache
    <IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
</IfModule>
  2. 2

    Via Nginx

    nginx
    add_header X-Content-Type-Options "nosniff" always;

Related articles

SecurityMissing X-Frame-Options headerSecurityContent Security Policy (CSP) missing on WordPress

Ready to fix this issue on your site?

Audit my site for free →