Skip to Content
OpportunitiesTechnicalSite IssuesSecurityMissing X-Content-Type-Options Header

Missing X-Content-Type-Options Header

What This Means

URLs that are missing the ‘X-Content-Type-Options’ response header with a nosniff value. In the absence of a MIME type, browsers may ‘sniff’ to guess the content type to interpret it correctly for users. However, this can be exploited by attackers who can try and load malicious code, such as JavaScript via an image they have compromised.

What Triggers This Issue

This issue is triggered when a URL is missing the ‘X-Content-Type-Options’ response header with a nosniff value. For example: X-Content-Type-Options: nosniff

How To Fix

To minimise security issues, the X-Content-Type-Options response header should be supplied and set to nosniff. This instructs browsers to rely only on the Content-Type header and block anything that does not match accurately. This also means the content-type set needs to be accurate.

← Back to Security

Last updated on
Missing Secure Referrer-Policy HeaderMissing X-Frames-Options Header