SEOLZ

Missing x content type options

Quick win

Add the `X-Content-Type-Options: nosniff` HTTP response header to every page of your store so browsers never guess at file types.

What it is

When your web server sends a file to a visitor's browser, it labels that file with a "content type" (e.g. "this is a CSS stylesheet" or "this is a JPEG image"). The `X-Content-Type-Options: nosniff` header is a one-line instruction you add to your server's responses that tells browsers: "Trust the label I gave this file — do not try to re-examine and re-classify it yourself." Without this header, some browsers will "sniff" (inspect the raw bytes of) a file and decide for themselves what kind of file it is, which can be exploited by attackers to trick a browser into treating a malicious upload as a runnable script.

Why it matters

Without this header, an attacker who can upload content to your store (e.g. a product image or a review attachment) may be able to craft a file that a browser silently re-interprets as executable JavaScript, enabling a MIME-type confusion attack or a cross-site scripting (XSS) exploit — potentially stealing customer credentials or payment data. This is classified under OWASP A05:2021 Security Misconfiguration, one of the most common and impactful vulnerability categories. Modern security scanners, browser dev-tools audits, and PCI DSS compliance checks all flag this missing header, so it can block you from passing security reviews required by payment processors. It is one of the fastest, lowest-risk security wins available: a single line of configuration that all modern browsers honour.

How to fix it

  1. Confirm the header is currently missing by opening your browser's developer tools (F12), going to the Network tab, reloading your homepage, clicking the first document request, and checking the Response Headers section for 'X-Content-Type-Options'.
  2. Decide where to set the header: most platforms let you configure it inside a theme file, a middleware/plugin setting, or a hosting-level config file (e.g. .htaccess for Apache, nginx.conf for NGINX).
  3. Add the header value exactly as: X-Content-Type-Options: nosniff — this single directive is the only accepted value; there are no alternatives.
  4. Apply the change to ALL responses from your store (HTML pages, CSS, JS, images, fonts, API endpoints) — not just the homepage — by setting it at the server or CDN level rather than page-by-page.
  5. Deploy and verify: reload any page, re-check the Response Headers in browser dev-tools, and confirm 'X-Content-Type-Options: nosniff' now appears.
  6. Re-run your security scanner or use a free header-check tool (e.g. securityheaders.com) to confirm the finding is resolved.
X-Content-Type-Options: nosniff

Fix it on your platform

Pick your platform for the exact steps.

How to fix missing x content type options on Shopify
  1. Shopify's core storefront automatically sends X-Content-Type-Options: nosniff on all Shopify-hosted pages — verify this is the case for your specific theme by checking Response Headers in browser dev-tools.
  2. If you are using a custom Shopify app, a Shopify Functions middleware, or a headless/custom storefront (Hydrogen/Oxygen), open your server-side code and add the header in your response handler (e.g. in your Remix loader or Express middleware: res.setHeader('X-Content-Type-Options', 'nosniff')).
  3. For a Hydrogen storefront on Oxygen: in your server.ts (or entry.server.tsx), add the header to the Response object before returning it from your request handler.
  4. If you proxy Shopify through a CDN (Cloudflare, Fastly, etc.), add the header as a custom response rule at the CDN layer to ensure it is present on every response.
Full Shopify guide →Official Shopify docs ↗
How to fix missing x content type options on Shopify Plus
  1. Same as Shopify above — the platform injects this header by default on storefront responses.
  2. For custom checkout extensibility or a headless storefront, ensure your middleware/server code sets res.setHeader('X-Content-Type-Options', 'nosniff') on all responses.
  3. Use Shopify Plus's Launchpad or a custom app with a web-pixel to audit headers regularly.
Full Shopify Plus guide →Official Shopify Plus docs ↗
How to fix missing x content type options on WooCommerce
  1. Install the free 'HTTP Headers' plugin (by David Gwyer) or 'Security Headers' plugin from the WordPress plugin directory: WP Admin → Plugins → Add New → search 'HTTP Headers' or 'Security Headers'.
  2. After activating, go to Settings → HTTP Headers (or the plugin's own menu item) and add a new header: Name = X-Content-Type-Options, Value = nosniff. Save.
  3. Alternatively, edit your theme's functions.php (Appearance → Theme File Editor → functions.php) and add: add_action('send_headers', function(){ header('X-Content-Type-Options: nosniff'); });
  4. Or add 'Header always set X-Content-Type-Options "nosniff"' to your .htaccess file (Apache) or 'add_header X-Content-Type-Options nosniff always;' to your nginx server block — both found in your hosting control panel's file manager or via FTP.
  5. Verify by reloading any page and checking Response Headers in browser dev-tools.
Full WooCommerce guide →Official WooCommerce docs ↗
How to fix missing x content type options on WordPress.org
  1. Install the 'HTTP Headers' or 'Security Headers' plugin from WP Admin → Plugins → Add New.
  2. Configure it to send X-Content-Type-Options: nosniff on all responses.
  3. Alternatively, add the header via your server config: in .htaccess (Apache) add 'Header always set X-Content-Type-Options "nosniff"'; in nginx.conf add 'add_header X-Content-Type-Options nosniff always;' inside the server {} block.
  4. Or use the functions.php method: add_action('send_headers', function(){ header('X-Content-Type-Options: nosniff'); }); in Appearance → Theme File Editor → functions.php.
  5. Confirm the header appears in browser dev-tools Network tab after saving.
Full WordPress.org guide →Official WordPress.org docs ↗
How to fix missing x content type options on BigCommerce
  1. BigCommerce's SaaS storefront automatically includes X-Content-Type-Options: nosniff on all storefront responses — confirm this in browser dev-tools Network tab.
  2. If you are running a headless BigCommerce storefront (e.g. using Next.js + BigCommerce API), add the header in your Next.js config: open next.config.js and add it inside the headers() async function returning { key: 'X-Content-Type-Options', value: 'nosniff' }.
  3. If you use a CDN or reverse proxy in front of BigCommerce (Cloudflare, Akamai), add a custom response header rule for X-Content-Type-Options: nosniff at the CDN layer.
  4. For custom BigCommerce apps or API-connected middleware, set the header in your server-side response handler.
Full BigCommerce guide →Official BigCommerce docs ↗
How to fix missing x content type options on Adobe Commerce (Magento)
  1. In Adobe Commerce / Magento 2, go to Admin → Stores → Configuration → General → Web → Default Headers section — note that full custom security header control is typically done at the server/Nginx level.
  2. For Nginx (most common): open your Magento Nginx config file (usually at /etc/nginx/sites-available/your-store.conf or the Magento-provided nginx.conf.sample) and inside the server {} block add: add_header X-Content-Type-Options nosniff always;
  3. For Apache: add 'Header always set X-Content-Type-Options "nosniff"' to your .htaccess file in the Magento root, or to your VirtualHost block.
  4. Alternatively, create a custom Magento plugin/interceptor on \Magento\Framework\App\Response\Http to programmatically set the header on all responses via a before/after plugin on the sendResponse() method.
  5. Clear Magento's full-page cache (Admin → System → Cache Management → Flush Magento Cache) then verify in browser dev-tools.
Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗
How to fix missing x content type options on Magento Open Source
  1. Same as Adobe Commerce (Magento) above — apply the Nginx or Apache server-block header directive, or use a Magento 2 plugin/interceptor.
  2. Add 'add_header X-Content-Type-Options nosniff always;' to your Nginx server block, or 'Header always set X-Content-Type-Options "nosniff"' to .htaccess.
  3. Flush cache via Admin → System → Cache Management → Flush Magento Cache, then verify in browser dev-tools.
Full Magento Open Source guide →Official Magento Open Source docs ↗
How to fix missing x content type options on Wix
  1. Wix does not provide direct HTTP response header configuration for standard sites in its dashboard — Wix automatically sets X-Content-Type-Options: nosniff on pages it serves; verify this is present for your site in browser dev-tools.
  2. If you are using Wix Velo (developer mode): open your site's HTTP Functions file (Public → http-functions.js) and ensure any custom API/function responses include the header: response.headers.set('X-Content-Type-Options', 'nosniff');
  3. For any external resources or custom backends connected to your Wix site, set the header on those servers independently.
  4. If the header is missing on your Wix-hosted pages, contact Wix Support — standard storefront pages should carry this header automatically.
Full Wix guide →Official Wix docs ↗
How to fix missing x content type options on Wix Studio
  1. Like standard Wix, Wix Studio serves pages with X-Content-Type-Options: nosniff by default — confirm in browser dev-tools.
  2. For custom Velo backend/web module code in Wix Studio, add the header to any HTTP function responses: response.headers.set('X-Content-Type-Options', 'nosniff');
  3. Reach out to Wix Studio support if you find the header absent on standard page responses.
Full Wix Studio guide →Official Wix Studio docs ↗
How to fix missing x content type options on Squarespace
  1. Squarespace automatically includes X-Content-Type-Options: nosniff on all hosted storefronts — verify this in browser dev-tools (Network tab → Response Headers).
  2. Squarespace does not expose server-level header configuration to store owners; you cannot add or modify HTTP response headers manually via the Squarespace dashboard.
  3. If the header is confirmed missing, contact Squarespace Support to report the issue, as it is a platform-level infrastructure setting outside your control.
  4. For any external APIs or backend services you connect to your Squarespace site, ensure those services send the header independently.
Full Squarespace guide →Official Squarespace docs ↗
How to fix missing x content type options on Webflow
  1. Webflow does not currently provide a native UI for setting custom HTTP response headers on its hosted sites.
  2. The recommended approach is to proxy your Webflow site through Cloudflare (free plan): add your site to Cloudflare, then go to Rules → Transform Rules → Modify Response Header → Create Rule, set Header Name = X-Content-Type-Options, Value = nosniff, and apply it to all requests.
  3. Alternatively, use Cloudflare Workers or another reverse proxy/CDN that supports custom response headers.
  4. For Webflow sites exported and self-hosted, add the header in your hosting environment's server config (Apache .htaccess or Nginx config).
  5. Verify using browser dev-tools after Cloudflare or server-side changes are deployed.
Full Webflow guide →Official Webflow docs ↗
How to fix missing x content type options on Next.js
  1. Open next.config.js in your project root.
  2. Add or update the headers() async function to return the header for all routes: { source: '/(.*)', headers: [{ key: 'X-Content-Type-Options', value: 'nosniff' }] }
  3. Redeploy your Next.js app (e.g. via Vercel, which also lets you set headers in vercel.json under the 'headers' key).
  4. Verify the header appears on all responses in browser dev-tools.
Full Next.js guide →Official Next.js docs ↗
How to fix missing x content type options on PrestaShop
  1. For Apache hosting: open the .htaccess file in your PrestaShop root directory (or generate a new one via Admin → Advanced Parameters → Performance → Generate .htaccess file) and add: Header always set X-Content-Type-Options "nosniff"
  2. For Nginx: add 'add_header X-Content-Type-Options nosniff always;' inside your server {} block in the Nginx config file.
  3. Alternatively, install a PrestaShop security module such as 'Security Headers' from the PrestaShop Addons marketplace, which provides a UI for setting response headers.
  4. Clear PrestaShop's cache (Admin → Advanced Parameters → Performance → Clear Cache) and verify in browser dev-tools.
Full PrestaShop guide →Official PrestaShop docs ↗
How to fix missing x content type options on OpenCart
  1. For Apache: add 'Header always set X-Content-Type-Options "nosniff"' to the .htaccess file in your OpenCart root directory.
  2. For Nginx: add 'add_header X-Content-Type-Options nosniff always;' to your server {} block.
  3. Alternatively, edit OpenCart's index.php or a system startup file to add the PHP header() call: header('X-Content-Type-Options: nosniff'); — place it before any output.
  4. Verify in browser dev-tools after deploying.
Full OpenCart guide →Official OpenCart docs ↗
How to fix missing x content type options on Ghost
  1. Ghost (self-hosted) is typically run behind Nginx: add 'add_header X-Content-Type-Options nosniff always;' inside the server {} block of your Ghost Nginx config (usually at /etc/nginx/sites-available/your-ghost-site.conf).
  2. Run 'sudo nginx -t' to validate the config, then 'sudo systemctl reload nginx'.
  3. For Ghost(Pro) hosted, the platform handles security headers — verify in dev-tools; contact Ghost support if the header is absent.
Full Ghost guide →Official Ghost docs ↗
How to fix missing x content type options on Cloudflare (CDN/proxy, any platform)
  1. Log in to Cloudflare dashboard → select your domain.
  2. Go to Rules → Transform Rules → Modify Response Header.
  3. Click 'Create Rule', name it 'Add X-Content-Type-Options', set the action to 'Set' header name 'X-Content-Type-Options' to value 'nosniff', apply to all incoming requests (or use a wildcard path /*), and Save/Deploy.
  4. Verify in browser dev-tools that the header now appears on all responses.
Full Cloudflare (CDN/proxy, any platform) guide →

Does your site have this issue?

Run a free SEOLZ audit to find missing x content type options — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Missing x content type options?

When your web server sends a file to a visitor's browser, it labels that file with a "content type" (e.g. "this is a CSS stylesheet" or "this is a JPEG image"). The `X-Content-Type-Options: nosniff` header is a one-line instruction you add to your server's responses that tells browsers: "Trust the label I gave this file — do not try to re-examine and re-classify it yourself." Without this header, some browsers will "sniff" (inspect the raw bytes of) a file and decide for themselves what kind of file it is, which can be exploited by attackers to trick a browser into treating a malicious upload as a runnable script.

Why does missing x content type options matter?

Without this header, an attacker who can upload content to your store (e.g. a product image or a review attachment) may be able to craft a file that a browser silently re-interprets as executable JavaScript, enabling a MIME-type confusion attack or a cross-site scripting (XSS) exploit — potentially stealing customer credentials or payment data. This is classified under OWASP A05:2021 Security Misconfiguration, one of the most common and impactful vulnerability categories. Modern security scanners, browser dev-tools audits, and PCI DSS compliance checks all flag this missing header, so it can block you from passing security reviews required by payment processors. It is one of the fastest, lowest-risk security wins available: a single line of configuration that all modern browsers honour.

How do I fix missing x content type options?

Add the `X-Content-Type-Options: nosniff` HTTP response header to every page of your store so browsers never guess at file types.

Authoritative references

Related Security (OWASP) issues