RedScore.ai

Fixes

Web Application Security · Updated 2026-05-02

X-Content-Type-Options

One-line header. Pass requires exactly X-Content-Type-Options: nosniff. Disables MIME-type sniffing in browsers.

X-Content-Type-Options: nosniff tells browsers to refuse MIME sniffing on responses with a declared Content-Type. Without it, a response declared as text/plain containing HTML or JavaScript could be sniffed and rendered or executed by the browser, turning user-uploaded files into XSS vectors. The header has exactly one valid value (nosniff) and exactly one job (turn off type-guessing).

It matters most for sites that serve user-uploaded content (file shares, image uploads, PDF previews) from your own origin. It is cheap to add everywhere regardless.

How the check works

Per primary host, the check looks at the X-Content-Type-Options response header. If the value is exactly nosniff (case-insensitive, after trim), the host scores 8/8. Anything else, including missing header or other values, scores 0/8.

How the verdict maps to evidence

  • Pass (8/8 per host): X-Content-Type-Options: nosniff.
  • Fail (0/8 per host): header missing, or set to anything other than nosniff.

Fix: add the header

Set the header on every HTTPS response. There are no other valid values, no parameters to tune, and no rollout phases.

Per-server snippets

nginx

add_header X-Content-Type-Options "nosniff" always;

Apache

Header always set X-Content-Type-Options "nosniff"

Caddy

header X-Content-Type-Options "nosniff"

Cloudflare (Transform Rules)

Set response header via Transform Rules:
  Header name:  X-Content-Type-Options
  Header value: nosniff

AWS CloudFront (Response Headers Policy)

In a Response Headers Policy, add:
  Header: X-Content-Type-Options
  Value:  nosniff

Express / Node.js (Helmet)

import helmet from "helmet";
app.use(helmet.noSniff()); // sets X-Content-Type-Options: nosniff

Django

# settings.py
SECURE_CONTENT_TYPE_NOSNIFF = True  # default in modern Django; verify it is on

Rails

# Rails sets X-Content-Type-Options: nosniff by default via ActionDispatch::DefaultHeaders.
# If you have customized default_headers, confirm nosniff is still in the list.

Verify the fix

  • curl -sI https://yourdomain.tld | grep -i x-content-type-options should show nosniff.
  • Repeat for each primary HTTPS host.
  • Re-run the RedScore lookup. Pass requires the header on every primary HTTPS host.

Common pitfalls

  • Setting the header to anything other than nosniff. There are no other valid values; the spec ignores anything else and the check scores zero.
  • Header set at one layer, stripped at another. CDN, load balancer, and origin can all touch headers. Confirm with curl from outside.
  • Forgetting same-zone hosts. The check evaluates every primary host. If api.yourdomain.tld is missing the header, it drops the rollup. Apply the header at the layer that fronts every host.
  • Relying on browser defaults. Modern browsers do default to safer MIME handling, but the header is still required by every security framework, and older browsers and some embedded WebViews still need it.
  • Treating this as an alternative to Content-Type. nosniff makes the browser trust the declared Content-Type strictly. If your server declares the wrong Content-Type, nosniff makes that mistake more visible (the browser refuses to interpret the file as anything else). Get Content-Type right at the source.

What to do next

See how these recommendations apply to your site's current scan results.

Scan domain