Content Character Encoding is not Defined
Impact: Informational
Description
When the character encoding is not explicitly defined in web content, browsers may resort to guessing or using a default encoding. This can lead to misinterpretation of characters and vulnerabilities such as Cross-Site Scripting (XSS), where attackers may exploit different encodings like UTF-7. It is crucial to specify the character encoding to ensure proper rendering and prevent security risks.
Recommendation
To mitigate this issue, ensure that the character encoding is explicitly defined in either the HTTP header or HTML meta tags. You can set the character encoding in the HTTP header using the Content-Type header field or within HTML meta tags as shown below:
Content-Type: text/html; charset=UTF-8
or
< META http-equiv="Content-Type" content = "text/html; charset=UTF-8" >
References
👉 You might also like:
Content-Security-Policy Header is Missing - Vulnerability
X-Content-Type-Options Header is Missing - Vulnerability
X-XSS-Protection Header is Missing - Vulnerability
Cookie without HttpOnly Flag - Vulnerability
Last updated on May 13, 2024