132 – Insecure or unset HTTP headers - X-Content-Type-Options

Description

The server is missing the X-Content-Type-Options HTTP header.

Impact

Execute MIME sniffing attacks to obtain technical information and craft new attack vectors.

Recommendation

Set the X-Content-Type-Options header to nosniff in the server responses.

Threat

Unauthorized attacker from Internet network.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 062 - Define standard configurations
• 349 - Include HTTP security headers

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala

Last updated

2024/02/14