X-Content-Type-Options Header is Missing
Impact: Informational
Description
The X-Content-Type-Options
response HTTP header is used by the server to prevent browsers from guessing the media type ( MIME type).
This is known as MIME sniffing in which the browser guesses the correct MIME type by looking at the contents of the resource.
The absence of this header might cause browsers to transform non-executable content into executable content.
Recommendation
Configure your server to send this header with the value set to nosniff
.
References
- Mozilla: Web Security
- Mozilla: X-Content-Type-Options
- Mozilla: MIME sniffing
- Mozilla: MIME types (IANA media types)
👉 You might also like:
X-Frame-Options Header is Missing - Vulnerability
Content-Security-Policy Header is Missing - Vulnerability
X-XSS-Protection Header is Missing - Vulnerability
Referrer-Policy Header is Missing - Vulnerability
Last updated on February 15, 2021