How to fix x content type options weak on PrestaShop

Steps for PrestaShop

1. Edit your Apache `.htaccess` file in the PrestaShop root, or your Nginx server block config.
2. Apache: add `Header always set X-Content-Type-Options "nosniff"` inside a `<IfModule mod_headers.c>` block.
3. Nginx: add `add_header X-Content-Type-Options "nosniff" always;` in the server block.
4. Remove any duplicate directives or conflicting module settings.
5. Reload the web server and verify with DevTools.

X-Content-Type-Options: nosniff

What is x content type options weak?

The `X-Content-Type-Options` HTTP response header is a one-line security instruction your web server sends to every visitor's browser. When set to `nosniff`, it tells the browser to trust the declared file type (e.g. "this is CSS" or "this is an image") and never try to guess or override it. A misconfigured header — such as sending the value twice (`nosniff, nosniff`), sending an empty value, or omitting it entirely — means the browser may ignore the instruction. This is classified as a Security Misconfiguration under OWASP A05:2021.

Without a valid `nosniff` directive, a browser may "MIME-sniff" a response — meaning it inspects the actual content of a file to decide what type it really is, overriding what your server declared. Attackers can exploit this to disguise a malicious script as an innocent image or text file; if a browser sniffs it and runs it as JavaScript, your customers can be exposed to cross-site scripting (XSS) attacks that steal payment data, session tokens, or account credentials. Beyond the direct security risk, this misconfiguration is flagged by security scanners and PCI-DSS auditors, and a duplicate or malformed header value (like `nosniff, nosniff`) signals misconfigured infrastructure that may undermine trust with both auditors and customers.

See the complete X content type options weak guide for every platform and the full background.