- x-content-type-options setting mustn’t be under Crypto “HSTS” since isn’t releated
- Cloudflare must fallow spec and add “x-content-type-options: nosniff” only to JS and CSS, see
‘Note: nosniff only applies to “script” and “style” types. Also applying nosniff to images turned out to be incompatible with existing web sites.’
Even when origin server defines x-content-type-options correctly, Cloudflare still will rewrite it (and add a bug) when “No-Sniff Header” enabled in Crypto > HSTS settings.