No X-Content-Type-Options
The X-Content-Type-Options: nosniff header tells browsers not to guess what type of file they have received and to only use what the server declares. This header is currently missing from your site. Without it, a browser might misinterpret an uploaded file — for example treating a text file as a script — which can enable certain script-injection attacks against your visitors. Add the response header X-Content-Type-Options: nosniff to all pages on your site. Most hosting platforms and CDNs let you set this in a single configuration line.
Why this matters
Without it, a browser might misinterpret an uploaded file — for example treating a text file as a script — which can enable certain script-injection attacks against your visitors.
How to fix it
Add the response header X-Content-Type-Options: nosniff to all pages on your site. Most hosting platforms and CDNs let you set this in a single configuration line.