Security
SecurityLow

X-Content-Type-Options

Checks for X-Content-Type-Options: nosniff — prevents MIME sniffing attacks.

What this check measures

We read the `X-Content-Type-Options` response header. Value must be exactly `nosniff`. Without it, browsers may interpret a .txt file with JavaScript in it as a script.

Why it matters

Prevents an attacker who uploads a text file to your CDN from having it execute as JavaScript. A small but simple defense — no reason to omit.

search

How our audit detects it

Read X-Content-Type-Options header value. Pass only if equals `nosniff`.

Typical findings

  • error_outlineHeader missing entirely.
  • error_outlineTypo: nosniff instead of "nosniff" (value must be lowercase).

How to fix

Add `X-Content-Type-Options: nosniff` to every HTTP response. One line in your framework's headers config.

Copy-paste fix prompt for your stack

Lovable · Cursor · Bolt · v0 · Replit · Windsurf · Claude Code · Base44

View the fix prompt →

Frequently asked questions

Any downside?expand_more
None. Universally supported, no performance impact, no configuration complexity.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward