This article is a part of our Web Security Knowledge Base (back to index)

Why “X-Content-Type-Options Header Missing” can be dangerous

The missing "X-Content-Type-Options" header enables a browser to perform MIME type sniffing when the Content-Type header is not set or its value seems inappropriate. In other words, when the browser gets the response from the server it tries to figure out on its own what is the type of the content and how to handle it. In certain circumstances that can lead to serious security issues (XSS attack).

For example, if we have an application that allows an upload of jpg files, an attacker may upload a file with jpg extension being in fact an html file with malicious js script inside. Some other user may want to display the image in his browser. The browser gets the file with Content-Type=image/jpg and finds out that content type is inappropriate. If the MIME type sniffing is enabled, the browser handles the file as html and executes the malicious js script. On the other hand, if the MIME type sniffing is disabled by setting the "X-Content-Type-Options" header, the browser displays an error message and the script is not executed.

How to fix “X-Content-Type-Options Header Missing”

Your server should be configured to include the header

X-Content-Type-Options=nosniff

How does ScanRepeat report “X-Content-Type-Options Header Missing”

ScanRepeat reports “X-Content-Type-Options Header Missing” listing all instances of URL resources returned without the header or with the header value different than nosniff along with additional information on what should be set to fix this problem.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free