Infamous The "X-Content-Type-Options" HTTP header is not set to "nosniff"

The issue you are facing:
On the Admin page I get the

The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

How can I deal with this?

Nextcloud version: 13.0.0
Operating system and version:
Linux osmc2 4.9.29-15-osmc
PRETTY_NAME="Open Source Media Center"
VERSION="January 2018"
Apache or nginx version : Apache/2.4.25 (Debian)
PHP version: PHP 7.0.27-0+deb9u1 (cli)

Is this the first time you’ve seen this error?:
No, I had it since the installation.

Steps to replicate it:

  1. Navigate to the Admin page

The output of your Nextcloud log in Admin > Logging:

Here it is.

The output of your config.php file in /path/to/nextcloud:

$CONFIG = array (
  'instanceid' => '----------------',
  'passwordsalt' => '------------------------------------------',
  'secret' => '-----------------------------------',
  'trusted_domains' =>
  array (
    0 => '----------------',
    1 => '',
  'datadirectory' => '/mnt/clouddrive',
  'overwrite.cli.url' => 'http://-------------------------/nextcloud',
  'dbtype' => 'mysql',
  'version' => '',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_-------------------',
  'dbpassword' => '---------------------------',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'maintenance' => false,
  'updater.secret' => '------------------------------------------',
  'theme' => '',
  'loglevel' => 2,

The output of your Apache/nginx/system log in /var/log/____:

Here it is.

The output of /var/www/htnl/nextcloud/.htaccess:

Here it is.

The output of /etc/apache2/apache2.conf:

Here it is.

Let me know if I need to provide more information.


Can you please run curl -v against your server (either IP or dns name)? For example:
curl -v https://your.domain.tld/nextcloud

From the output, please copy the whole output or at least all lines with “x-…” (for example: x-content-type-options and x-frame-options, …) and post it here. If you copy the whole output, please make sure to remove your full qualified domain name (fqdn), IPs and probably the Cookie-Strings and session passphrase.

I’m aiming for doubled headers, that cause this message as well.

Oh and is the module mod_env for apache enabled or disabled right now?

Here is the curl -v output.

And mod_env should be enalbed according to this:

osmc@osmc2:~$ a2enmod env
Module env already enabled


You wrote you use apache and in the curl output it says the web server is nginx. So you are using both and nginx or apache as proxy, right?

Could you check the headers again, when you access your server from the outside (not with curl on the same machine)?
This site could help:

Please look for double headers. If this scanner shows double headers with “nosniff”, please make sure that only one web server - apache or nginx - sends this header.

Here is the result of HTTP response headers analyses:

I’m really confused now because this points out to what you suggested. There is NGINX server that I’m not aware of.
What I did on my raspberry pi is install OSMC to serve as OS and then installed Apache. I never installed NGINX.
Can this somehow be connected with the fact that I’m using dataplicity to access my Apache\NextCloud server?
In case you are not familiar with dataplicity, here is how it works.


Yes, that is very likely. However, to come to a solution finally … :slight_smile:
… please open your .htaccess file, search for the following line and change it accordingly:

Header set X-Content-Type-Options "nosniff"
# Header set X-Content-Type-Options "nosniff"

Save the changes and then restart apache. Please check your admin page again, if the error disappeared.


Yes, that resolved the issue. The admin page doesn’t show any errors.

Strangely enough now shows that I don’t have X-Content-Type-Options set to nosniff, but I honestly don’t care :slight_smile:
I’ve tried to access my server using local IP address and admin page show the error again.

Bottom line is that if I want to use dataplicity to access the server outside my network, I need to have X-Content-Type-Options set to nosniff, since it seems there is NGINX server somewhere in between with the option set already.

I changed the .htaccess file, and now I’m getting an INVALID_HASH warning message.

hey, i just hit this error myself. Why is the solution to the system complaining about the header being missing, to get rid of it?

this brings up some security concerns. If i set it to include the header “Always” as recommended in the installation manual i get this error, if i turn off the header it goes away. Is this a bug?

1 Like

I think the problem is that the header is specified multiple-times in the configuration file / or .htaccess. Removing the duplicate lines solved the issue for me. (Reference: