Security Headers

How to add X-Content-Type-Options header

Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.

What it is

X-Content-Type-Options is an HTTP response header. When set to nosniff, it tells the browser not to MIME-sniff the response. The browser uses the Content-Type header you send instead of guessing from content.

Why it matters

Without nosniff, a browser might treat a response as a different type (e.g. HTML or script) and execute it, which can lead to XSS or unexpected behavior. nosniff is a simple, high-impact header for static and dynamic responses.

How to fix it

  1. 1

    Add the header

    Send X-Content-Type-Options: nosniff on every response. This is a single, fixed value; no configuration needed beyond adding the header.

  2. 2

    Set in server or app

    Add the header in your web server config or application middleware so it is sent for HTML, API, and asset responses.

  3. 3

    Verify

    Run Barrion's X-Content-Type-Options check or inspect response headers to confirm the header is present.

Examples by platform

Nginx

add_header X-Content-Type-Options "nosniff" always;

Apache

Header always set X-Content-Type-Options "nosniff"

Check your site

Run Barrion's free security headers check to see if this finding applies to your app and get a full report.

Run free check →

Secure Your Company's Web Apps

Trusted by CTOs, dev teams, and agencies for compliance monitoring and audit-ready security reports.
Get detailed security reports with actionable fixes in under 60 seconds.

Barrion logo icon

Barrion delivers automated security scans and real-time monitoring to keep your applications secure.

Quick Links

For teams

Company

Contact us

Have questions or need assistance? Reach out to our team for support.

[email protected]
Send email icon

© 2025 Barrion AB (559569-0917) - All Rights Reserved.