Skip to content

Protocol: Content-Type header

Identifier: header_content_type

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

When a response is sent without a correctly set Content-Type header, browsers might guess the file type incorrectly. This misinterpretation can let attackers trick the browser into treating data as a different type than intendedsometimes even as executable code. The risk is that if harmful content is misclassified, it could lead to issues like cross-site scripting attacks or other forms of code injection. Developers often overlook setting or validating this header, relying on the browser to make the correct guess, which can create security gaps and unintended behavior if an attacker manipulates the content.

Configuration

Example

Example configuration:

---
security_tests:
  header_content_type:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.