This article is a part of our Web Security Knowledge Base (back to index)

Why Charset Mismatch (Header Versus Meta Charset) can be dangerous

When there’s charset mismatch between the HTTP header and content body web browsers can be forced into an undesirable content-sniffing mode to determine content’s correct character set.

An attacker could manipulate content on the page to be interpreted in an encoding of their choice. If an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.

How to fix Charset Mismatch (Header Versus Meta Charset)

Force UTF-8 for all text content in both the HTTP header and meta tags in HTML.

How does ScanRepeat report Charset Mismatch (Header Versus Meta Charset)

ScanRepeat identifies HTTP responses where the ‘Content-Type’ header declares a charset different from the charset defined in the meta tag in HTML. It reports every occurrence of this kind of mismatch, giving the url and the encoding declarations which have been found.

Would you like to test your application now against this problem? Sign up for our free trial

Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free