X-Content-Type-Options Header Missing
Reference
Plugin Id: 10021 | CWE: 693
Remediation
To fix this vulnerability, the X-Content-Type-Options header should be set to ‘nosniff’. This will prevent older versions of Internet Explorer and Chrome from performing MIME-sniffing on the response body.
To set the X-Content-Type-Options header to ‘nosniff’, you can add the following configuration to your web server:
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>
If you are using a different web server, refer to its documentation for the specific configuration syntax.
About
The X-Content-Type-Options header is a security feature that helps prevent MIME-sniffing attacks. When this header is set to ‘nosniff’, it instructs the browser to strictly interpret the content type specified in the response headers and not perform any MIME-sniffing. This ensures that the response body is displayed as the intended content type and not interpreted as something else.
Without the X-Content-Type-Options header set to ‘nosniff’, older versions of Internet Explorer and Chrome may perform MIME-sniffing on the response body. This means that they may ignore the declared content type and try to guess the content type based on the actual content. This can lead to security vulnerabilities, as the browser may interpret and display the response body as a different content type, potentially exposing sensitive information or executing malicious code.
Risks
If the X-Content-Type-Options header is missing or not set to ‘nosniff’, there are several risks:
-
MIME-sniffing attacks: Older versions of Internet Explorer and Chrome may perform MIME-sniffing on the response body, potentially causing it to be interpreted and displayed as a content type other than the declared content type. This can lead to security vulnerabilities and expose sensitive information.
-
Content type misinterpretation: Without the X-Content-Type-Options header set to ‘nosniff’, the browser may interpret the response body as a different content type than intended. This can result in the incorrect rendering of the content or the execution of malicious code.
-
Compatibility issues: Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing. However, if the declared content type is incorrect or missing, it may still lead to compatibility issues with Firefox and other browsers that follow the same behavior.