X-Content-Type-Options
Description
The Anti-MIME-Sniffing header X-Content-Type-Options
is missing or not set to nosniff
.
This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
Remediation
Ensure that the application/web server sets the Content-Type
header appropriately and that it sets the X-Content-Type-Options
header to nosniff
for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all or that can be directed by the web application/web server to not perform MIME-sniffing.
GraphQL Specific
Apollo
To mitigate the risk of MIME type sniffing attacks in the Apollo framework engine, set the 'X-Content-Type-Options' header to 'nosniff' for all responses served by the server. This can be achieved by configuring the server middleware to include this header, ensuring that browsers adhere to the declared content type as specified by the 'Content-Type' header.
Yoga
To mitigate the risk of MIME type sniffing attacks in the Yoga framework engine, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses served by the server. This can typically be achieved by configuring the server settings or by including a middleware that sets this header appropriately for each outgoing response.
Awsappsync
To mitigate the risk of MIME type sniffing which can lead to security vulnerabilities, it is recommended to set the 'X-Content-Type-Options' header to 'nosniff' in all responses served by your AWS AppSync API. This can be achieved by configuring your resolvers or using a Lambda function to set the header on HTTP responses. Ensure that your API's integration responses include the header 'X-Content-Type-Options: nosniff' to instruct browsers to strictly adhere to the declared content type.
Graphqlgo
Set the 'X-Content-Type-Options' header to 'nosniff' in the GraphQL Go framework engine to prevent MIME type sniffing.
Graphqlruby
Set the 'X-Content-Type-Options' header to 'nosniff' in the response to prevent MIME type sniffing.
Hasura
Set the 'X-Content-Type-Options' header to 'nosniff' in the Hasura engine's response headers to prevent MIME type sniffing.
REST Specific
Asp_net
In ASP.NET, ensure that all responses sent from the server include the 'X-Content-Type-Options' HTTP header with the value 'nosniff'. This can be achieved by adding a custom HTTP header in the web.config file or by setting the header directly in your application's response headers. 'nosniff'); to your application's response pipeline.
Ruby_on_rails
In Ruby on Rails, set the 'X-Content-Type-Options' header to 'nosniff' in your application's configuration. Add 'config.action_dispatch.default_headers.merge!({'X-Content-Type-Options' => 'nosniff'})' to 'config/application.rb' or use 'response.headers['X-Content-Type-Options'] = 'nosniff'' in your controllers to prevent MIME-sniffing vulnerabilities.
Next_js
In your Next.js application, ensure that the X-Content-Type-Options
header is set to nosniff
for all responses. You can achieve this by customizing the server configuration or by using middleware in the API routes to set the header appropriately. For example, you can add a custom server middleware that sets the header like so: res.setHeader('X-Content-Type-Options', 'nosniff');
for each incoming request.
Laravel
In Laravel, set the 'X-Content-Type-Options' header to 'nosniff' for all responses by adding 'Header set X-Content-Type-Options "nosniff"' to your web server's configuration or by using middleware to include it in the HTTP response headers.
Express_js
In Express.js, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by using the helmet middleware, which can be installed via npm and included in your application as follows: const helmet = require('helmet'); app.use(helmet.noSniff());
Django
In your Django application, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by using the 'SecurityMiddleware' provided by Django, which sets this header by default. To enable the middleware, add 'django.middleware.security.SecurityMiddleware' to the 'MIDDLEWARE' setting in your settings.py file. If you have custom response handling, you can also set the header manually by adding 'response['X-Content-Type-Options'] = 'nosniff'' to your HttpResponse objects.
Symfony
In Symfony, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by adding a response header in your controller or by using an event listener to set the header globally. For example, in your controller, you can use ' extbackslash Symfony extbackslash Component extbackslash HttpFoundation extbackslash Response' to set the header like so: ' extbackslash$ response->headers->set('X-Content-Type-Options', 'nosniff');'. Alternatively, create an event listener for 'kernel.response' and set the header for each response sent by the application.
Spring_boot
In Spring Boot applications, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by configuring the security headers in the SecurityConfig class using the HttpSecurity object, or by implementing a custom filter that adds this header to every response.
Flask
In Flask, set the 'X-Content-Type-Options' header to 'nosniff' for all responses by adding the following line to your view functions or by using a response middleware: 'response.headers['X-Content-Type-Options'] = 'nosniff'.
Nuxt
In your Nuxt.js application, ensure that the X-Content-Type-Options
header is set to nosniff
for all responses. You can achieve this by using the @nuxtjs/helmet
module, which sets security-related headers. After installing the module, add '@nuxtjs/helmet'
to the modules
section of your nuxt.config.js
file, and configure it to include the X-Content-Type-Options
header by setting helmet: { contentSecurityPolicy: false, xContentTypeOptions: 'nosniff' }
in the same file.
Fastapi
In FastAPI, ensure that all responses include the 'X-Content-Type-Options' header with the value 'nosniff'. This can be achieved by using FastAPI's middleware to add this header to all outgoing responses. For example, you can create a middleware function that sets the 'X-Content-Type-Options' header to 'nosniff' and add it to your FastAPI application instance using the 'app.add_middleware' method.
Configuration
Identifier:
protocol/header_x_content_type_options
Examples
Ignore this check
checks:
protocol/header_x_content_type_options:
skip: true
Score
- Escape Severity: LOW
Compliance
OWASP: API7:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-4
Classification
- CWE: 16
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1