SEOLZ

How to fix x content type options weak on Adobe Commerce (Magento)

Set the X-Content-Type-Options response header to exactly `nosniff` (once, not duplicated) on every page and asset your store serves.

Steps for Adobe Commerce (Magento)

  1. SSH into your server and open your Nginx virtual host config (typically at `/etc/nginx/sites-available/your-store.conf` or inside `/etc/nginx/conf.d/`) or your Apache `.htaccess` / virtual host config.
  2. For Nginx, add inside the `server {}` block: `add_header X-Content-Type-Options "nosniff" always;` — remove any duplicate `add_header X-Content-Type-Options` lines in the same or parent blocks.
  3. For Apache, in `.htaccess` or VirtualHost config add: `<IfModule mod_headers.c>` / `Header set X-Content-Type-Options "nosniff"` / `</IfModule>` — remove any duplicate directives.
  4. Alternatively, configure it in Magento's `pub/.htaccess` or via a custom plugin/module that sets response headers.
  5. Reload/restart the web server (`sudo nginx -t && sudo systemctl reload nginx` or `sudo systemctl reload apache2`).
  6. Verify with DevTools or securityheaders.com.
Official Adobe Commerce (Magento) documentation ↗
X-Content-Type-Options: nosniff

What is x content type options weak?

The `X-Content-Type-Options` HTTP response header is a one-line security instruction your web server sends to every visitor's browser. When set to `nosniff`, it tells the browser to trust the declared file type (e.g. "this is CSS" or "this is an image") and never try to guess or override it. A misconfigured header — such as sending the value twice (`nosniff, nosniff`), sending an empty value, or omitting it entirely — means the browser may ignore the instruction. This is classified as a Security Misconfiguration under OWASP A05:2021.

Without a valid `nosniff` directive, a browser may "MIME-sniff" a response — meaning it inspects the actual content of a file to decide what type it really is, overriding what your server declared. Attackers can exploit this to disguise a malicious script as an innocent image or text file; if a browser sniffs it and runs it as JavaScript, your customers can be exposed to cross-site scripting (XSS) attacks that steal payment data, session tokens, or account credentials. Beyond the direct security risk, this misconfiguration is flagged by security scanners and PCI-DSS auditors, and a duplicate or malformed header value (like `nosniff, nosniff`) signals misconfigured infrastructure that may undermine trust with both auditors and customers.

See the complete X content type options weak guide for every platform and the full background.

Not sure if your Adobe Commerce (Magento) store has this?

Run a free SEOLZ audit — we’ll find x content type options weak and every other issue across your whole site.

Scan my site free

Fix x content type options weak on another platform