Missing X-Content-Type-Options on Next.js
Your site is missing `X-Content-Type-Options: nosniff`. Without this header, browsers will try to guess the MIME type of files you serve, which can turn an image or text upload into an executed script. The fix is one header, applied to every response: `X-Content-Type-Options: nosniff`. It has no downsides — there is no reason to omit it.
The fix for Next.js
Next.js
Add the header alongside other security headers.
{ key: 'X-Content-Type-Options', value: 'nosniff' }Why it matters
Apps that let users upload files are especially at risk. An attacker can upload a file that looks like a PNG but contains JavaScript, and older browsers would execute it. `nosniff` forces the browser to trust your declared Content-Type.
Confirm the fix worked
Scan your Next.js site to confirm this finding is gone.
AI prompt
Apply across your codebase
Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.
Add `X-Content-Type-Options: nosniff` to my app. Apply it to every route, not just HTML pages. This header has no downside and should be unconditional.FAQ
Frequently asked questions
- Can this break legitimate file serving?
- Only if you are serving files with the wrong Content-Type. Fix the Content-Type at the source — do not omit nosniff to mask the bug.
- Does this replace CSP?
- No. CSP and nosniff solve different problems. Ship both.
Related fix guides
Fix these too
Missing CSP header
A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.
Read moreMissing X-Frame-Options
Without X-Frame-Options or CSP frame-ancestors, attackers can embed your site in an invisible iframe to trick users into clicking things. Here is the fix.
Read moreFree tools