X-Content-Type-Options header cannot be recognized

By
Manieendar Mohan
Published on
05 May 2022
1 min read
Vulnerability

An X-Content-Type-Options response HTTP header is a marker header that is used by the server to indicate that the Multipurpose Internet Mail Extensions (MIME) types advertised in the Content-Type headers should not be changed and be followed. This header allows to opt-out of Multipurpose Internet Mail Extensions (MIME) type sniffing. This header was first introduced by Microsoft to help webmasters block sniffing attacks. Older versions of IE and chrome performed MIME sniff on the response and interpreted the received information as content rather than an intended content. This vulnerability can be exploited when a website allows users to upload content to a website. During this process, it can give them the opportunity to perform cross-site scripting and compromise the website. Security testers expect this header in the application to ensure utmost security.

Impact

  • Ignoring the new X-Content-Type-Options response header will allow the browsers to do MIME-sniffing a response away from the declared content-type.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Implement proper X-Content-Type-Options header.
  • The following shows the implementation on servers.

Nginx

Nginx

        add_header X-Content-Type-Options "nosniff"

    

Apache

        Header set X-Content-Type-Options "nosniff"

    
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.