How do I fix x content type options weak on Shopify?

Shopify's core storefront automatically sends `X-Content-Type-Options: nosniff` — if your scanner shows a duplicate or malformed value, the extra copy is almost certainly coming from a third-party app or a Cloudflare/CDN layer you've added. Check installed apps: Shopify Admin → Apps — look for any 'security headers' or 'HTTP headers' app and review its settings. Disable or remove any app that is independently setting this header. If you use Cloudflare in front of Shopify: Cloudflare Dashboard → your domain → Rules → Transform Rules → Modify Response Headers — delete any rule that sets `X-Content-Type-Options`, since Shopify already handles it. Verify the fix: open Chrome DevTools on your storefront, go to Network → select any page request → Headers, and confirm `X-Content-Type-Options: nosniff` appears exactly once.

How to fix x content type options weak on Shopify

Set the X-Content-Type-Options response header to exactly `nosniff` (once, not duplicated) on every page and asset your store serves.

Steps for Shopify

Shopify's core storefront automatically sends `X-Content-Type-Options: nosniff` — if your scanner shows a duplicate or malformed value, the extra copy is almost certainly coming from a third-party app or a Cloudflare/CDN layer you've added.
Check installed apps: Shopify Admin → Apps — look for any 'security headers' or 'HTTP headers' app and review its settings. Disable or remove any app that is independently setting this header.
If you use Cloudflare in front of Shopify: Cloudflare Dashboard → your domain → Rules → Transform Rules → Modify Response Headers — delete any rule that sets `X-Content-Type-Options`, since Shopify already handles it.
Verify the fix: open Chrome DevTools on your storefront, go to Network → select any page request → Headers, and confirm `X-Content-Type-Options: nosniff` appears exactly once.

Official Shopify documentation ↗

X-Content-Type-Options: nosniff

What is x content type options weak?

The `X-Content-Type-Options` HTTP response header is a one-line security instruction your web server sends to every visitor's browser. When set to `nosniff`, it tells the browser to trust the declared file type (e.g. "this is CSS" or "this is an image") and never try to guess or override it. A misconfigured header — such as sending the value twice (`nosniff, nosniff`), sending an empty value, or omitting it entirely — means the browser may ignore the instruction. This is classified as a Security Misconfiguration under OWASP A05:2021.

Without a valid `nosniff` directive, a browser may "MIME-sniff" a response — meaning it inspects the actual content of a file to decide what type it really is, overriding what your server declared. Attackers can exploit this to disguise a malicious script as an innocent image or text file; if a browser sniffs it and runs it as JavaScript, your customers can be exposed to cross-site scripting (XSS) attacks that steal payment data, session tokens, or account credentials. Beyond the direct security risk, this misconfiguration is flagged by security scanners and PCI-DSS auditors, and a duplicate or malformed header value (like `nosniff, nosniff`) signals misconfigured infrastructure that may undermine trust with both auditors and customers.

See the complete X content type options weak guide for every platform and the full background.

Not sure if your Shopify store has this?

Run a free SEOLZ audit — we’ll find x content type options weak and every other issue across your whole site.

Scan my site free

How to fix x content type options weak on Shopify

Steps for Shopify

What is x content type options weak?

Not sure if your Shopify store has this?

Fix x content type options weak on another platform