This article is a part of our Web Security Knowledge Base (back to index)

Why Content-Type Header Missing can be dangerous

The Content-Type header was found to be empty or missing on one or more of your pages. This means that the attacker is able to prepare the code that will be treated by the user’s browser as part of the web page and executed. Therefore the adversaries can attack your web application by modifying the look of your web page or stealing user’s data which may then lead to further Cross-Site Scripting attacks (see XSS).

How to fix Content-Type Header Missing

Ensure that each page sets the specific and proper Content-Type header value for the content which it delivers.

Consider using header X-Content-Type-Options: nosniff.

How does ScanRepeat report Content-Type Header Missing

ScanRepeat analyzes every HTTP response and checks if its Content-Type header is provided and has a proper value set. It reports every occurence of such a vulnerability providing the URL of the issue found.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free