Investigate vulnerability: Missing X-Content-Type-Options: nosniff
Description:
The X-Content-Type-Options
header with the value nosniff
ensures that user agents do not attempt to
guess the format of the data being received. User Agents such as browsers, commonly attempt to guess
what the resource type being requested is, through a process called MIME type sniffing.
Without this header being sent, the browser may misinterpret the data, leading to MIME confusion attacks. If an attacker were able to upload files that are accessible by using a browser, they could upload files that could be interpreted as HTML and execute Cross-Site Scripting (XSS) attacks.
- Severity: low
- Confidence: medium
Solution:
We recommend that the header and value of X-Content-Type-Options: nosniff
be set server wide.
This ensures any resources that are mistakenly missing a Content-Type
value are not
misinterpreted.
Identifiers:
Links:
Scanner:
- Name: Browserker
- Type: dast
- Status: success
- Start Time: 2022-08-06T13:20:40
- End Time: 2022-08-06T13:24:27