How to fix x content type options weak on WooCommerce

Steps for WooCommerce

1. Install the free 'HTTP Headers' plugin (author: John Henckel) or 'Headers Security Advanced & CORS' from the WordPress plugin directory.
2. WordPress Admin → Settings → HTTP Headers (or the plugin's settings page) — find the `X-Content-Type-Options` field and set it to `nosniff`. Save.
3. If you are also setting the header via your server (see below), disable it in one location to prevent duplication.
4. Alternatively, edit your `.htaccess` file (Apache) in the WordPress root directory and add: `<IfModule mod_headers.c>` / `Header set X-Content-Type-Options "nosniff"` / `</IfModule>` — but only if you are NOT setting it via a plugin.
5. For Nginx hosting, ask your host to add `add_header X-Content-Type-Options "nosniff" always;` to the server block in the nginx config, and remove any plugin that also sets it.
6. Verify: use a browser's DevTools Network tab or securityheaders.com to confirm exactly one `nosniff` value.

X-Content-Type-Options: nosniff

What is x content type options weak?

The `X-Content-Type-Options` HTTP response header is a one-line security instruction your web server sends to every visitor's browser. When set to `nosniff`, it tells the browser to trust the declared file type (e.g. "this is CSS" or "this is an image") and never try to guess or override it. A misconfigured header — such as sending the value twice (`nosniff, nosniff`), sending an empty value, or omitting it entirely — means the browser may ignore the instruction. This is classified as a Security Misconfiguration under OWASP A05:2021.

Without a valid `nosniff` directive, a browser may "MIME-sniff" a response — meaning it inspects the actual content of a file to decide what type it really is, overriding what your server declared. Attackers can exploit this to disguise a malicious script as an innocent image or text file; if a browser sniffs it and runs it as JavaScript, your customers can be exposed to cross-site scripting (XSS) attacks that steal payment data, session tokens, or account credentials. Beyond the direct security risk, this misconfiguration is flagged by security scanners and PCI-DSS auditors, and a duplicate or malformed header value (like `nosniff, nosniff`) signals misconfigured infrastructure that may undermine trust with both auditors and customers.

See the complete X content type options weak guide for every platform and the full background.