X content type options weak
Quick winSet the X-Content-Type-Options response header to exactly `nosniff` (once, not duplicated) on every page and asset your store serves.
What it is
The `X-Content-Type-Options` HTTP response header is a one-line security instruction your web server sends to every visitor's browser. When set to `nosniff`, it tells the browser to trust the declared file type (e.g. "this is CSS" or "this is an image") and never try to guess or override it. A misconfigured header — such as sending the value twice (`nosniff, nosniff`), sending an empty value, or omitting it entirely — means the browser may ignore the instruction. This is classified as a Security Misconfiguration under OWASP A05:2021.
Why it matters
Without a valid `nosniff` directive, a browser may "MIME-sniff" a response — meaning it inspects the actual content of a file to decide what type it really is, overriding what your server declared. Attackers can exploit this to disguise a malicious script as an innocent image or text file; if a browser sniffs it and runs it as JavaScript, your customers can be exposed to cross-site scripting (XSS) attacks that steal payment data, session tokens, or account credentials. Beyond the direct security risk, this misconfiguration is flagged by security scanners and PCI-DSS auditors, and a duplicate or malformed header value (like `nosniff, nosniff`) signals misconfigured infrastructure that may undermine trust with both auditors and customers.
How to fix it
- Audit your current headers by loading your store URL in a browser and inspecting the Network tab (DevTools → Network → select any request → Headers) or using a tool like securityheaders.com — look for the `X-Content-Type-Options` header and confirm it appears exactly once with the value `nosniff`.
- Identify where the header is being set today: it may be set in your platform's admin/app, a CDN layer (Cloudflare, Fastly, etc.), a hosting server config file (.htaccess, nginx.conf), or a combination — duplicate values (`nosniff, nosniff`) are almost always caused by two layers each setting the header independently.
- Choose a single authoritative place to set the header and remove or disable it everywhere else to prevent duplication.
- Set the header value to exactly `nosniff` (lowercase, no extra spaces, no repetition): `X-Content-Type-Options: nosniff`
- Deploy the change, then re-verify with DevTools or securityheaders.com that the header appears exactly once with the correct value.
- If you use a CDN (Cloudflare, Fastly, etc.), check its 'Transform Rules' or 'Headers' settings as a separate layer that might be adding a second copy of the header.
X-Content-Type-Options: nosniffFix it on your platform
Pick your platform for the exact steps.
How to fix x content type options weak on Shopify
- Shopify's core storefront automatically sends `X-Content-Type-Options: nosniff` — if your scanner shows a duplicate or malformed value, the extra copy is almost certainly coming from a third-party app or a Cloudflare/CDN layer you've added.
- Check installed apps: Shopify Admin → Apps — look for any 'security headers' or 'HTTP headers' app and review its settings. Disable or remove any app that is independently setting this header.
- If you use Cloudflare in front of Shopify: Cloudflare Dashboard → your domain → Rules → Transform Rules → Modify Response Headers — delete any rule that sets `X-Content-Type-Options`, since Shopify already handles it.
- Verify the fix: open Chrome DevTools on your storefront, go to Network → select any page request → Headers, and confirm `X-Content-Type-Options: nosniff` appears exactly once.
How to fix x content type options weak on Shopify Plus
- Same as Shopify above. Shopify Plus merchants should additionally check any custom Cloudflare Enterprise rules or edge middleware configured by their agency.
- Shopify Admin → Apps — audit all installed apps for header-manipulation behaviour.
- Cloudflare Dashboard → Rules → Transform Rules → Modify Response Headers — ensure no duplicate rule exists for `X-Content-Type-Options`.
- Use a staging/development store to verify headers before pushing changes to production.
How to fix x content type options weak on WooCommerce
- Install the free 'HTTP Headers' plugin (author: John Henckel) or 'Headers Security Advanced & CORS' from the WordPress plugin directory.
- WordPress Admin → Settings → HTTP Headers (or the plugin's settings page) — find the `X-Content-Type-Options` field and set it to `nosniff`. Save.
- If you are also setting the header via your server (see below), disable it in one location to prevent duplication.
- Alternatively, edit your `.htaccess` file (Apache) in the WordPress root directory and add: `<IfModule mod_headers.c>` / `Header set X-Content-Type-Options "nosniff"` / `</IfModule>` — but only if you are NOT setting it via a plugin.
- For Nginx hosting, ask your host to add `add_header X-Content-Type-Options "nosniff" always;` to the server block in the nginx config, and remove any plugin that also sets it.
- Verify: use a browser's DevTools Network tab or securityheaders.com to confirm exactly one `nosniff` value.
How to fix x content type options weak on WordPress.org
- Install the 'HTTP Headers' plugin or 'Solid Security' (formerly iThemes Security) from WordPress Admin → Plugins → Add New.
- Solid Security path: WordPress Admin → Security → Settings → Security Check → or search 'Security Headers' within the plugin — enable `X-Content-Type-Options: nosniff`.
- If your host (e.g. WP Engine, Kinsta, SiteGround) already injects this header at the server level, do NOT also add it via plugin — check your host's dashboard or contact support to confirm.
- Verify with DevTools or securityheaders.com.
How to fix x content type options weak on BigCommerce
- BigCommerce's platform injects `X-Content-Type-Options: nosniff` by default on storefront responses.
- If your scanner reports a duplicate, the extra copy is likely coming from Cloudflare or another CDN/proxy sitting in front of your store.
- Log in to your Cloudflare (or other CDN) dashboard → Rules / Transform Rules → Modify Response Headers — remove any rule that adds `X-Content-Type-Options`, since BigCommerce already sets it.
- If you use a custom nginx or Apache reverse proxy, remove the header directive from that config.
- Verify with DevTools or securityheaders.com after clearing any CDN cache.
How to fix x content type options weak on Wix
- Wix automatically adds security headers including `X-Content-Type-Options: nosniff` to all Wix-hosted sites — you cannot and do not need to set this manually in the Wix editor.
- If your scanner flags a duplicate, the issue is an upstream proxy or Cloudflare integration added to your domain.
- Remove any Cloudflare or third-party header-injection rule that duplicates `X-Content-Type-Options`.
- Contact Wix Support if you believe the platform itself is sending a malformed header.
How to fix x content type options weak on Squarespace
- Squarespace automatically sets `X-Content-Type-Options: nosniff` on all hosted stores — no manual configuration is available or needed within the Squarespace UI.
- If a duplicate header is detected, audit any Cloudflare or CDN layer connected to your custom domain: Cloudflare Dashboard → Rules → Transform Rules → Modify Response Headers — remove any rule setting this header.
- Contact Squarespace Support if the platform itself is emitting a malformed or repeated value.
How to fix x content type options weak on Webflow
- Webflow automatically sends `X-Content-Type-Options: nosniff` on all hosted projects.
- If a duplicate is found, check whether you have Cloudflare or another reverse proxy on your custom domain: Cloudflare Dashboard → Rules → Transform Rules → Modify Response Headers — delete any rule that also sets `X-Content-Type-Options`.
- For Webflow sites exported and self-hosted, add the header in your own server config (Apache `.htaccess` or Nginx server block) and ensure only one source sets it.
How to fix x content type options weak on Adobe Commerce (Magento)
- SSH into your server and open your Nginx virtual host config (typically at `/etc/nginx/sites-available/your-store.conf` or inside `/etc/nginx/conf.d/`) or your Apache `.htaccess` / virtual host config.
- For Nginx, add inside the `server {}` block: `add_header X-Content-Type-Options "nosniff" always;` — remove any duplicate `add_header X-Content-Type-Options` lines in the same or parent blocks.
- For Apache, in `.htaccess` or VirtualHost config add: `<IfModule mod_headers.c>` / `Header set X-Content-Type-Options "nosniff"` / `</IfModule>` — remove any duplicate directives.
- Alternatively, configure it in Magento's `pub/.htaccess` or via a custom plugin/module that sets response headers.
- Reload/restart the web server (`sudo nginx -t && sudo systemctl reload nginx` or `sudo systemctl reload apache2`).
- Verify with DevTools or securityheaders.com.
How to fix x content type options weak on Magento Open Source
- Follow the same Nginx/Apache steps as Adobe Commerce above.
- Check for any third-party Magento extension labelled 'Security Headers' in your Admin → System → Extensions — if one exists, disable the server-level directive and manage it only via the extension, or vice versa, to avoid duplication.
- Reload the web server and verify.
How to fix x content type options weak on PrestaShop
- Edit your Apache `.htaccess` file in the PrestaShop root, or your Nginx server block config.
- Apache: add `Header always set X-Content-Type-Options "nosniff"` inside a `<IfModule mod_headers.c>` block.
- Nginx: add `add_header X-Content-Type-Options "nosniff" always;` in the server block.
- Remove any duplicate directives or conflicting module settings.
- Reload the web server and verify with DevTools.
Does your site have this issue?
Run a free SEOLZ audit to find x content type options weak — and every other issue — across your whole site in minutes.
Scan my site freeFrequently asked questions
What is X content type options weak?
The `X-Content-Type-Options` HTTP response header is a one-line security instruction your web server sends to every visitor's browser. When set to `nosniff`, it tells the browser to trust the declared file type (e.g. "this is CSS" or "this is an image") and never try to guess or override it. A misconfigured header — such as sending the value twice (`nosniff, nosniff`), sending an empty value, or omitting it entirely — means the browser may ignore the instruction. This is classified as a Security Misconfiguration under OWASP A05:2021.
Why does x content type options weak matter?
Without a valid `nosniff` directive, a browser may "MIME-sniff" a response — meaning it inspects the actual content of a file to decide what type it really is, overriding what your server declared. Attackers can exploit this to disguise a malicious script as an innocent image or text file; if a browser sniffs it and runs it as JavaScript, your customers can be exposed to cross-site scripting (XSS) attacks that steal payment data, session tokens, or account credentials. Beyond the direct security risk, this misconfiguration is flagged by security scanners and PCI-DSS auditors, and a duplicate or malformed header value (like `nosniff, nosniff`) signals misconfigured infrastructure that may undermine trust with both auditors and customers.
How do I fix x content type options weak?
Set the X-Content-Type-Options response header to exactly `nosniff` (once, not duplicated) on every page and asset your store serves.
Authoritative references
- OWASP Top Ten — OWASP
- OWASP Cheat Sheet Series — OWASP
- Secure Headers Project — OWASP
- Website security — MDN