Http Missing X Content Type Options
Description
Detects when the X-Content-Type-Options security header is missing from HTTP responses. This header prevents browsers from MIME-type sniffing, which could allow malicious file uploads to be interpreted as executable content. Missing this header can lead to MIME confusion attacks.
Weakness:
132 - Insecure or unset HTTP headers - X-Content-Type-Options
Category: Protocol Manipulation
Detection Strategy
• Examines HTTP response headers from the web application
• Reports a vulnerability if the X-Content-Type-Options header is not present in the response
• The header should be set to 'nosniff' to properly protect against MIME-type sniffing attacks
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.