Security Test: X-Content-Type-Options¶
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | Frontend Scanner |
|---|---|---|
Description¶
Default Severity:
If this header isn't set or is set incorrectly, browsers might guess the file's type instead of strictly following what's declared. This uncertainty can let some browsers mistakenly show code or media in a way that attackers could exploit, such as tricking them into downloading malicious files. Developers need to handle this carefully because relying on MIME-sniffing can lead to unexpected behavior and security issues. It's a simple fix that goes a long way in preventing content type confusion in browsers that still perform their own guessing.
Configuration¶
Identifier:
protocol/header_x_content_type_options
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| OWASP LLM Top 10 | LLM02:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 16 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |