Description

MIME type sniffing is a standard functionality in browsers to find an appropriate way to render data where the HTTP headers sent by the server are either inconclusive or missing.
This allows web browsers to perform MIME-Sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the intended content type.

X-Content-Type-Options (XCTO) is an HTTP header that can be used to prevent MIME type sniffing, which can help to mitigate certain types of attacks, including Cross Site Scripting (XSS). It also enables Cross-Origin Read Blocking (CORB) for sensitive resources, helping protect against Cross-Site Script Inclusion (XSSI) and side channel attacks.

Remediation

Add the X-Content-Type-Options header with a value of "nosniff" to inform the browser to trust what the site has sent is the appropriate content-type, and to not attempt "sniffing" the real content-type.

References

X-Content-Type-Options header

Cross-Origin Read Blocking (CORB)

Related Vulnerabilities

Subresource Integrity (SRI) Not Implemented

Hadoop YARN ResourceManager publicly accessible

Sensitive pages could be cached

ASP.NET expired session IDs are not regenerated

PHP allow_url_include Is Enabled

Severity

Info

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration