329 – Insecure or unset HTTP headers - Content-Type

Description

The application does not define the Content-Type header in the server responses.

Impact

Lead to unexpected behaviors due to content type misinterpretations.

Recommendation

Define explicitly the content types allowed by the application.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 062 - Define standard configurations
• 266 - Disable insecure functionalities
• 349 - Include HTTP security headers

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/19