Investigate vulnerability: X-Content-Type-Options Header Missing

Issue created from vulnerability 62739070

Description:

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

• Severity: low
• Confidence: unknown

Evidence

• Method: GET
• URL: https://ec.compute-1.amazonaws.com/admin/sidekiq

Request:

Cache-Control : no-cache
Cookie : _gitlab_session=********; known_sign_in=********; visitor_id=********; event_filter=********; _sort=********
Host : ec.compute-1.amazonaws.com
Pragma : no-cache
Referer : https://ec.compute-1.amazonaws.com/admin/background_jobs
User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0

Response:

Cache-Control : private, no-store
Connection : keep-alive
Content-Language : en
Content-Length : 8769
Content-Security-Policy : default-src 'self' https: http:; child-src 'self'; connect-src 'self' https: http: wss: ws:; font-src 'self' https: http:; frame-src 'self'; img-src 'self' https: http: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self' https: http: 'unsafe-inline'; style-src 'self' https: http: 'unsafe-inline'; worker-src 'self'; base-uri 'self'
Content-Type : text/html
Date : Mon, 23 Jan 2023 11:26:28 GMT
Etag : W/"af415aa2614e5c5ead9f2d54f2589d4a"
Referrer-Policy : strict-origin-when-cross-origin
Server : nginx
Strict-Transport-Security : max-age=63072000
Vary : Accept-Encoding
X-Request-Id : 01GQF62AN8CB5FV19GJ36MD3WK
X-Runtime : 0.052984

Solution:

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages. If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Identifiers:

• CWE-693
• X-Content-Type-Options Header Missing

Links:

• http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
• https://owasp.org/www-community/Security_Headers

Scanner:

• Name: OWASP Zed Attack Proxy (ZAP)