Insecure HTTP Header Setting: Content-Type

Insecure HTTP Header Setting: Content-Type

Risk: hardening

Description

The Content-Type header is missing, which means that this website could risk a MIME-sniffing attack.

MIME-type sniffing is standard functionality in browsers to find an appropriate way to render data where the HTTP headers sent by the server are either inconclusive or missing.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the intended one.

The problem arises once a website allows users to upload content published on the web server. If an attacker can carry out an XSS (Cross-site Scripting) attack by manipulating the content in a way to be accepted by the web application and rendered as HTML by the browser, it is possible to inject code in e.g., an image file, and make the victim execute it by viewing the image.

Recommendation

• When serving resources, make sure you send the content-type header to appropriately match the type of the resource being served. For example, if you are serving an HTML page, you should send the HTTP header:

Content-Type: text/html

• Add the X-Content-Type-Options header with a value of "nosniff" to inform the browser to trust what the site has sent is the appropriate content-type, and to not attempt "sniffing" the real content-type.

X-Content-Type-Options: nosniff

Links

• Content-Type

Standards

• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_6_4
  • REQ_11_3