X-Content-Type-Options header not implemented

OWASP 2013-A5 OWASP 2017-A6 CWE-16 ISO27001-A.14.1.2 WASC-15

An X-Content-Type-Options response HTTP header is a marker header that is used by the server to indicate that the Multipurpose Internet Mail Extensions (MIME) types advertised in the Content-Type headers should not be changed and be followed. This header allows to opt-out of Multipurpose Internet Mail Extensions (MIME) type sniffing. This header was first introduced by Microsoft to help webmasters block sniffing attacks. Older versions of IE and chrome performed MIME sniff on the response and interpreted the received information as content rather than an intended content. This vulnerability can be exploited when a website allows users to upload content to a website. During this process, it can give them the opportunity to perform cross-site scripting and compromise the website. Security testers expect this header in the application to ensure utmost security.

Impact

The possible attacks are:-

  • Sniffing attacks
  • Man-In-The-Middle attacks (MITM)

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Implement X-Content-Type-Options header
  • The following shows the implementation on servers.

Nginx

        add_header X-Content-Type-Options "nosniff"

    

Apache

        Header set X-Content-Type-Options "nosniff"

    

Latest Articles