Skip to main content

Website does not implement X-Content-Type-Options Best Practices

Ankur Prasad
  • Updated
    Name in API: x_content_type_options_incorrect_v2
    Severity: Low
    Factor: Application Security

    Summary

    Website does not implement X-Content-Type-Options Best Practices is an issue type that highlights the presence and configuration of the x-content-type-options HTTP header. x-content-type-options HTTP Header instructs the browser to follow strictly the MIME type present in Content-Type header.

     

    How Does It Work?

    When a web server sends a response to the client’s request, it includes the header to specify the MIME Type which the browser should follow strictly. When a browser receives a response from the server, it checks the X-Content-Type-Options header and if the header is present with the nosniff directive, the browser disables MIME sniffing.

     

    What is MIME?

    MIME (Multipurpose Internet Mail Extensions) types are used to indicate the nature and format of a file. When a web server sends a file to a browser, it includes a "Content-Type" header that specifies the MIME type (e.g., "image/jpeg," "text/html") and this tells the browser how to handle the file.

     

    Why is it a Risk? 

    MIME Sniffing is a risk because attacker might upload a malicious file disguised with an incorrect MIME type. If this happens and the browser performs MIME sniffing, it might misinterpret the file type and execute it as something else. For example a bad actor might upload a malicious script disguised as an image. This can result in attacks like XSS.

     

    Self Evaluation

    You may validate the presence/absence of X-Content-Type-Options Header on the endpoint by using the following 3rd Party tools. All can be used to confront contradictory results. However when comparing results, ensure that the endpoint scanned by each is exactly the same information and matching the SecurityScorecard finding.

    cURL (Below example shows that this X-Content-Type-Options Header is missing)

    $curl -IL https://www.example.com    

    HTTP/2 200 
    content-type: text/html
    etag: "84238dfc8092e5d9c0dac8ef93371a07:1736799080.121134"
    last-modified: Mon, 13 Jan 2025 20:11:20 GMT
    cache-control: max-age=1802
    date: Thu, 27 Mar 2025 17:09:28 GMT
    alt-svc: h3=":443"; ma=93600,h3-29=":443"; ma=93600,quic=":443"; ma=93600; v="43"

    SecurityHeaders.com

    Screenshot 2025-03-27 at 1.13.01 PM.png

    By inspecting Response Headers in the Console of Web Browser

    Screenshot 2025-03-27 at 1.18.32 PM.png

    How to mitigate

      • Implementing a header named X-Content-Type-Options with value nosniff will mitigate and allow the finding to be removed from the list of open issues from the scorecard.

    Remediation

    SecurityScorecard allows the removal of findings if either of the following is true:

    • Endpoint configuration has been changed, the X-Content-Type-Options Header has been added to the endpoint.
      => Select the finding and then click on the "Fixed" button, "technical_remediation".
    • The endpoint has been closed and therefore the endpoint is unreachable (or serving a 400/404)
      => Select the finding and then click on the "Fixed" button, "technical_remediation".
    • After verification (using the methods above for example), the endpoint defined in the finding does have X-Content-Type-Options Header added and in contrary of what SecurityScorecard is stating.
      => Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue and I think it’s incorrect", "false_positive".
    • There is a WAF or IDS/IPS sitting in front of the endpoint defined in the finding and the signatures of these systems are defined to mitigate any XSS attacks.=> Select the finding and then click on "Other resolutions" --> "I have a compensating control", "compensating_control".

    Related articles

    Comments

    0 comments

    Article is closed for comments.