Can this break legitimate file serving?

Only if you are serving files with the wrong Content-Type. Fix the Content-Type at the source — do not omit nosniff to mask the bug.

Does this replace CSP?

No. CSP and nosniff solve different problems. Ship both.

Low severity

How to fix a missing X-Content-Type-Options header

Your site is missing `X-Content-Type-Options: nosniff`. Without this header, browsers will try to guess the MIME type of files you serve, which can turn an image or text upload into an executed script. The fix is one header, applied to every response: `X-Content-Type-Options: nosniff`. It has no downsides — there is no reason to omit it.

Why it matters

Apps that let users upload files are especially at risk. An attacker can upload a file that looks like a PNG but contains JavaScript, and older browsers would execute it. `nosniff` forces the browser to trust your declared Content-Type.

How to check

01Open DevTools → Network → click the document request.
02Under Response Headers, look for `x-content-type-options: nosniff`.
03Any value other than exactly `nosniff` is invalid.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Next.js

Add the header alongside other security headers.

{ key: 'X-Content-Type-Options', value: 'nosniff' }

Generic

Send this header on every response.

X-Content-Type-Options: nosniff

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

Add `X-Content-Type-Options: nosniff` to my app. Apply it to every route, not just HTML pages. This header has no downside and should be unconditional.

FAQ

Frequently asked questions

Can this break legitimate file serving?: Only if you are serving files with the wrong Content-Type. Fix the Content-Type at the source — do not omit nosniff to mask the bug.
Does this replace CSP?: No. CSP and nosniff solve different problems. Ship both.

Related fix guides

Fix these too

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Missing X-Frame-Options

Without X-Frame-Options or CSP frame-ancestors, attackers can embed your site in an invisible iframe to trick users into clicking things. Here is the fix.

Learn the concepts

Glossary

Security Headers

A set of HTTP response headers that harden your site against common web attacks. Every site should send all six.

Free tools

Check this yourself

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

Platform guides

Building on these platforms?

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.