Security headers · Check

X-Content-Type-Options missing — MIME sniffing risk and the fix

Browsers can MIME-sniff responses when no Content-Type is declared confidently. That makes file uploads, edge cases, and misconfigured static hosts more likely to render as executable HTML or JavaScript.

Real-world risk

Browsers may MIME-sniff responses; content-type confusion can turn uploads or edge cases into executable context.

Fix steps (in order)

Add X-Content-Type-Options: nosniff on HTML and API responses.

Example configurations

Patterns for common stacks. Set headers at your CDN, load balancer, or origin as appropriate.

nginx · nginx

add_header X-Content-Type-Options "nosniff" always;

Express (helmet) · typescript

import helmet from "helmet";
app.use(helmet.noSniff());

Apache · apache

Header set X-Content-Type-Options "nosniff"

Topic explainer

What is Content Security Policy (CSP)? A practical explainer →

An accessible explanation of Content Security Policy: what it does, why it exists, the directives that matter, and how to roll one out without breaking your app.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (missing_xcto) clears once the externally-observable signal is in place.

Run a free scan Methodology