Content Character Encoding is not Defined
Impact: Informational
Description
Web browsers need to be aware of the encoding of characters to display it right. When the character encoding is not explicitly defined, the browser has to either guess the encoding or use a default encoding. This will allow attackers to use different encodings like UTF-7 to exploit vulnerabilities like XSS.
Recommendation
Send character encoding in HTTP header as shown below:
Content-Type: text/html; charset=UTF-8
or use HTML Meta tags like below:
< META http-equiv="Content-Type" content = "text/html; charset=UTF-8" >
References
👉 You might also like:
Content-Security-Policy Header is Missing - Vulnerability
X-Content-Type-Options Header is Missing - Vulnerability
Public-Key-Pins Header is Set - Vulnerability
Referrer-Policy Header is Missing - Vulnerability
Last updated on February 15, 2021