How do I fix x content type options weak on BigCommerce?

BigCommerce's platform injects `X-Content-Type-Options: nosniff` by default on storefront responses. If your scanner reports a duplicate, the extra copy is likely coming from Cloudflare or another CDN/proxy sitting in front of your store. Log in to your Cloudflare (or other CDN) dashboard → Rules / Transform Rules → Modify Response Headers — remove any rule that adds `X-Content-Type-Options`, since BigCommerce already sets it. If you use a custom nginx or Apache reverse proxy, remove the header directive from that config. Verify with DevTools or securityheaders.com after clearing any CDN cache.

How to fix x content type options weak on BigCommerce

Set the X-Content-Type-Options response header to exactly `nosniff` (once, not duplicated) on every page and asset your store serves.

Steps for BigCommerce

BigCommerce's platform injects `X-Content-Type-Options: nosniff` by default on storefront responses.
If your scanner reports a duplicate, the extra copy is likely coming from Cloudflare or another CDN/proxy sitting in front of your store.
Log in to your Cloudflare (or other CDN) dashboard → Rules / Transform Rules → Modify Response Headers — remove any rule that adds `X-Content-Type-Options`, since BigCommerce already sets it.
If you use a custom nginx or Apache reverse proxy, remove the header directive from that config.
Verify with DevTools or securityheaders.com after clearing any CDN cache.

Official BigCommerce documentation ↗

X-Content-Type-Options: nosniff

What is x content type options weak?

The `X-Content-Type-Options` HTTP response header is a one-line security instruction your web server sends to every visitor's browser. When set to `nosniff`, it tells the browser to trust the declared file type (e.g. "this is CSS" or "this is an image") and never try to guess or override it. A misconfigured header — such as sending the value twice (`nosniff, nosniff`), sending an empty value, or omitting it entirely — means the browser may ignore the instruction. This is classified as a Security Misconfiguration under OWASP A05:2021.

Without a valid `nosniff` directive, a browser may "MIME-sniff" a response — meaning it inspects the actual content of a file to decide what type it really is, overriding what your server declared. Attackers can exploit this to disguise a malicious script as an innocent image or text file; if a browser sniffs it and runs it as JavaScript, your customers can be exposed to cross-site scripting (XSS) attacks that steal payment data, session tokens, or account credentials. Beyond the direct security risk, this misconfiguration is flagged by security scanners and PCI-DSS auditors, and a duplicate or malformed header value (like `nosniff, nosniff`) signals misconfigured infrastructure that may undermine trust with both auditors and customers.

See the complete X content type options weak guide for every platform and the full background.

Not sure if your BigCommerce store has this?

Run a free SEOLZ audit — we’ll find x content type options weak and every other issue across your whole site.

Scan my site free

How to fix x content type options weak on BigCommerce

Steps for BigCommerce

What is x content type options weak?

Not sure if your BigCommerce store has this?

Fix x content type options weak on another platform