How to Add X-Content-Type-Options: nosniff

Stop browsers from MIME-sniffing responses — a one-line header that closes an XSS vector.

Easy Medium Impact 2 min

Why It Matters

Without this header, browsers may "sniff" a response's content type and execute, say, an uploaded image as a script. nosniff forces the browser to honour the declared Content-Type, closing that vector.

How to Fix

Send the header site-wide

Add X-Content-Type-Options: nosniff to every response.

Set correct content types

Make sure your server sends accurate Content-Type headers so nosniff doesn't break legitimate files.

Code Fix

http

Before (broken)

# No X-Content-Type-Options header

After (fixed)

X-Content-Type-Options: nosniff

Platform-Specific Instructions

WordPress

Add via a security-headers plugin or .htaccess.

Next.js

Add it under headers() in next.config.js.

Check with our tool

HTTP Header Checker

Want to find all issues at once?

Run a free audit and get a prioritized fix list with auto-generated code.

Run a free audit