Insecure or unset HTTP headers - Accept
Description
The application does not set the Accept header or allows any MIME type in the requests. An attacker could abuse this feature to cause unexpected behaviors when the application interprets incorrect content-types.
Impact
Lead to unexpected behaviors due to content type misinterpretations.
Recommendation
- Set the Accept Header in client requests. - Define explicitly the allowed content types for the application. - Deny all request that contain a content type different from the expected by the application.
Threat
Anonymous attacker from the Internet.
Expected Remediation Time
⏱️ 30 minutes.
Requirements
062 - Define standard configurations266 - Disable insecure functionalities349 - Include HTTP security headersRules
Go Accepts Any MimeC Sharp Accepts Any Mime TypeJava Accept Wildcard HeaderJavascript Accepts Wildcard MimeTypescript Accepts Wildcard MimeJava Accept Header Wildcard MimeJavascript Accepts Any Mime HeaderTypescript Accept Any MimeJava Accepts Any MimeConfig Files Accept Header WildcardPython Accept Any Mime HeaderKotlin Accepts Any Mime TypeJavascript Accept Any MimeTypescript Accepts Any Mime Header