The X-Content-Type-Options response header is not present. WAS reports missing X-Content-Type-Options header on each crawled link with all types of static and dynamic response. The scanner performs the check on 4xx and 5xx responses too. It’s possible to see a directory link reported for QID as well.
Consequence
All web browsers employ a content-sniffing algorithm that inspects the contents of HTTP responses and also occasionally overrides the mime type provided by the server. If X-Content-Type-Options header is not present, browsers can potentially be tricked into treating non-HTML response as HTML. An attacker can potentially leverage the functionality to perform a cross-site scripting (XSS) attack. This specific case is known as a Content-Sniffing XSS (CS-XSS) attack.
Solution
It is recommended to disable browser content sniffing by adding the X-Content-Type-Options header to the HTTP response with a value of
nosniff. Also, ensure that the
Content-Type header is set correctly on responses.
24 votes, 5.00 avg. rating (98% score)