X-Content-Type-Options Header is Missing
Impact: Informational
Description
The absence of the X-Content-Type-Options response HTTP header may expose a website to MIME sniffing attacks. MIME sniffing, performed by browsers when the MIME type is not explicitly declared, can lead to the interpretation of non-executable content as executable, potentially exposing users to security risks.
Recommendation
To mitigate this risk, configure your server to send the X-Content-Type-Options header with the value set to nosniff. This instructs browsers not to perform MIME sniffing and to strictly respect the declared content type.
References
- CWE-16
- Mozilla: MIME sniffing
- Mozilla: MIME types (IANA media types)
- Mozilla: Web Security
- Mozilla: X-Content-Type-Options
- OWASP 2021-A5
- OWASP: X-Content-Type-Options Header
👉 You might also like:
X-Frame-Options Header is Missing - Vulnerability
Content-Security-Policy Header is Missing - Vulnerability
X-XSS-Protection Header is Missing - Vulnerability
Referrer-Policy Header is Missing - Vulnerability
Last updated on May 13, 2024