Description
The absence of the X-Content-Type-Options response HTTP header may expose a website to MIME sniffing attacks. MIME sniffing, performed by browsers when the MIME type is not explicitly declared, can lead to the interpretation of non-executable content as executable, potentially exposing users to security risks.
Recommendation
To mitigate this risk, configure your server to send the X-Content-Type-Options header with the value set to nosniff. This instructs browsers not to perform MIME sniffing and to strictly respect the declared content type.
References
- Mozilla: Web Security
- Mozilla: X-Content-Type-Options
- Mozilla: MIME sniffing
- Mozilla: MIME types (IANA media types)
- OWASP: X-Content-Type-Options Header
- CWE-16
- OWASP 2021-A5