Description
The absence of the X-Content-Type-Options
response HTTP header may expose a website to MIME sniffing attacks. MIME sniffing, performed by browsers when the MIME type is not explicitly declared, can lead to the interpretation of non-executable content as executable, potentially exposing users to security risks.
Recommendation
To mitigate this risk, configure your server to send the X-Content-Type-Options
header with the value set to nosniff
. This instructs browsers not to perform MIME sniffing and to strictly respect the declared content type.
References
- Mozilla: Web Security
- Mozilla: X-Content-Type-Options
- Mozilla: MIME sniffing
- Mozilla: MIME types (IANA media types)
- OWASP: X-Content-Type-Options Header
- CWE-16
- OWASP 2021-A5
Related Issues
- X-Frame-Options Header is Missing - Vulnerability
- Content-Security-Policy Header is Missing - Vulnerability
- X-XSS-Protection Header is Missing - Vulnerability
- Referrer-Policy Header is Missing - Vulnerability
- Tags:
- HTTP Headers
- MIME Sniffing
- Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024