How do I fix missing x content type options on BigCommerce?

BigCommerce's SaaS storefront automatically includes X-Content-Type-Options: nosniff on all storefront responses — confirm this in browser dev-tools Network tab. If you are running a headless BigCommerce storefront (e.g. using Next.js + BigCommerce API), add the header in your Next.js config: open next.config.js and add it inside the headers() async function returning { key: 'X-Content-Type-Options', value: 'nosniff' }. If you use a CDN or reverse proxy in front of BigCommerce (Cloudflare, Akamai), add a custom response header rule for X-Content-Type-Options: nosniff at the CDN layer. For custom BigCommerce apps or API-connected middleware, set the header in your server-side response handler.

How to fix missing x content type options on BigCommerce

Add the `X-Content-Type-Options: nosniff` HTTP response header to every page of your store so browsers never guess at file types.

Steps for BigCommerce

BigCommerce's SaaS storefront automatically includes X-Content-Type-Options: nosniff on all storefront responses — confirm this in browser dev-tools Network tab.
If you are running a headless BigCommerce storefront (e.g. using Next.js + BigCommerce API), add the header in your Next.js config: open next.config.js and add it inside the headers() async function returning { key: 'X-Content-Type-Options', value: 'nosniff' }.
If you use a CDN or reverse proxy in front of BigCommerce (Cloudflare, Akamai), add a custom response header rule for X-Content-Type-Options: nosniff at the CDN layer.
For custom BigCommerce apps or API-connected middleware, set the header in your server-side response handler.

Official BigCommerce documentation ↗

X-Content-Type-Options: nosniff

What is missing x content type options?

When your web server sends a file to a visitor's browser, it labels that file with a "content type" (e.g. "this is a CSS stylesheet" or "this is a JPEG image"). The `X-Content-Type-Options: nosniff` header is a one-line instruction you add to your server's responses that tells browsers: "Trust the label I gave this file — do not try to re-examine and re-classify it yourself." Without this header, some browsers will "sniff" (inspect the raw bytes of) a file and decide for themselves what kind of file it is, which can be exploited by attackers to trick a browser into treating a malicious upload as a runnable script.

Without this header, an attacker who can upload content to your store (e.g. a product image or a review attachment) may be able to craft a file that a browser silently re-interprets as executable JavaScript, enabling a MIME-type confusion attack or a cross-site scripting (XSS) exploit — potentially stealing customer credentials or payment data. This is classified under OWASP A05:2021 Security Misconfiguration, one of the most common and impactful vulnerability categories. Modern security scanners, browser dev-tools audits, and PCI DSS compliance checks all flag this missing header, so it can block you from passing security reviews required by payment processors. It is one of the fastest, lowest-risk security wins available: a single line of configuration that all modern browsers honour.

See the complete Missing x content type options guide for every platform and the full background.

Not sure if your BigCommerce store has this?

Run a free SEOLZ audit — we’ll find missing x content type options and every other issue across your whole site.

Scan my site free

How to fix missing x content type options on BigCommerce

Steps for BigCommerce

What is missing x content type options?

Not sure if your BigCommerce store has this?

Fix missing x content type options on another platform