Skip to content

X-Content-Type-Options

Description

The Anti-MIME-Sniffing header X-Content-Type-Options is missing or not set to nosniff. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Remediation

Ensure that the application/web server sets the Content-Type header appropriately and that it sets the X-Content-Type-Options header to nosniff for all web pages. If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all or that can be directed by the web application/web server to not perform MIME-sniffing.

GraphQL Specific

Apollo To mitigate the risk of MIME type sniffing attacks in the Apollo framework engine, set the 'X-Content-Type-Options' header to 'nosniff' for all responses served by the server. This can be achieved by configuring the server middleware to include this header, ensuring that browsers adhere to the declared content type as specified by the 'Content-Type' header.
Yoga To mitigate the risk of MIME type sniffing attacks in the Yoga framework engine, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses served by the server. This can typically be achieved by configuring the server settings or by including a middleware that sets this header appropriately for each outgoing response.
Awsappsync To mitigate the risk of MIME type sniffing which can lead to security vulnerabilities, it is recommended to set the 'X-Content-Type-Options' header to 'nosniff' in all responses served by your AWS AppSync API. This can be achieved by configuring your resolvers or using a Lambda function to set the header on HTTP responses. Ensure that your API's integration responses include the header 'X-Content-Type-Options: nosniff' to instruct browsers to strictly adhere to the declared content type.
Graphqlgo Set the 'X-Content-Type-Options' header to 'nosniff' in the GraphQL Go framework engine to prevent MIME type sniffing.
Graphqlruby Set the 'X-Content-Type-Options' header to 'nosniff' in the response to prevent MIME type sniffing.
Hasura Set the 'X-Content-Type-Options' header to 'nosniff' in the Hasura engine's response headers to prevent MIME type sniffing.

REST Specific

Asp_net In ASP.NET, ensure that all responses sent from the server include the 'X-Content-Type-Options' HTTP header with the value 'nosniff'. This can be achieved by adding a custom HTTP header in the web.config file or by setting the header directly in your application's response headers. 'nosniff'); to your application's response pipeline.
Ruby_on_rails In Ruby on Rails, set the 'X-Content-Type-Options' header to 'nosniff' in your application's configuration. Add 'config.action_dispatch.default_headers.merge!({'X-Content-Type-Options' => 'nosniff'})' to 'config/application.rb' or use 'response.headers['X-Content-Type-Options'] = 'nosniff'' in your controllers to prevent MIME-sniffing vulnerabilities.
Next_js In your Next.js application, ensure that the `X-Content-Type-Options` header is set to `nosniff` for all responses. You can achieve this by customizing the server configuration or by using middleware in the API routes to set the header appropriately. For example, you can add a custom server middleware that sets the header like so: `res.setHeader('X-Content-Type-Options', 'nosniff');` for each incoming request.
Laravel In Laravel, set the 'X-Content-Type-Options' header to 'nosniff' for all responses by adding 'Header set X-Content-Type-Options "nosniff"' to your web server's configuration or by using middleware to include it in the HTTP response headers.
Express_js In Express.js, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by using the helmet middleware, which can be installed via npm and included in your application as follows: `const helmet = require('helmet'); app.use(helmet.noSniff());`
Django In your Django application, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by using the 'SecurityMiddleware' provided by Django, which sets this header by default. To enable the middleware, add 'django.middleware.security.SecurityMiddleware' to the 'MIDDLEWARE' setting in your settings.py file. If you have custom response handling, you can also set the header manually by adding 'response['X-Content-Type-Options'] = 'nosniff'' to your HttpResponse objects.
Symfony In Symfony, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by adding a response header in your controller or by using an event listener to set the header globally. For example, in your controller, you can use ' extbackslash Symfony extbackslash Component extbackslash HttpFoundation extbackslash Response' to set the header like so: ' extbackslash$ response->headers->set('X-Content-Type-Options', 'nosniff');'. Alternatively, create an event listener for 'kernel.response' and set the header for each response sent by the application.
Spring_boot In Spring Boot applications, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by configuring the security headers in the SecurityConfig class using the HttpSecurity object, or by implementing a custom filter that adds this header to every response.
Flask In Flask, set the 'X-Content-Type-Options' header to 'nosniff' for all responses by adding the following line to your view functions or by using a response middleware: 'response.headers['X-Content-Type-Options'] = 'nosniff'.
Nuxt In your Nuxt.js application, ensure that the `X-Content-Type-Options` header is set to `nosniff` for all responses. You can achieve this by using the `@nuxtjs/helmet` module, which sets security-related headers. After installing the module, add `'@nuxtjs/helmet'` to the `modules` section of your `nuxt.config.js` file, and configure it to include the `X-Content-Type-Options` header by setting `helmet: { contentSecurityPolicy: false, xContentTypeOptions: 'nosniff' }` in the same file.
Fastapi In FastAPI, ensure that all responses include the 'X-Content-Type-Options' header with the value 'nosniff'. This can be achieved by using FastAPI's middleware to add this header to all outgoing responses. For example, you can create a middleware function that sets the 'X-Content-Type-Options' header to 'nosniff' and add it to your FastAPI application instance using the 'app.add_middleware' method.

Configuration

Identifier: protocol/header_x_content_type_options

Examples

Ignore this check

checks:
  protocol/header_x_content_type_options:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API7:2023

  • pci: 6.5.10

  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 16

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1