According to cloudflare docs this header is configured in the HSTS settings, but I have HSTS disabled. I tried enabling HSTS and specifically deactivating the x-content-type-options header but the header is still sent. It's not a browser caching issue because the presence of the header is also visible via curl -vv https://example.com/....
The issue came up after upgrading apache webserver to version 2.4 which dropped the setting for default content type (DefaultType), based on the reason that in modern times the browsers should take responsibility for sniffing out the type, and cloudflare's header blocks the browsers from doing it.
Generally this option is inside the /etc/apache2/conf-enabled/security.conf (or equivalent). Check the file or search for with something like
If you cannot access the filesystem, I suppose you have a sort of control panel, is it?
Eg Ispconfig set this option inside his vhost configuration, in /etc/apache2/sites-enabled/000-ispconfig.vhost and in /etc/apache2/sites-enabled/000-apps.vhost