Skip to content

Protocol: X-Content-Type-Options

Identifier: header_x_content_type_options

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

If this header isn't set or is set incorrectly, browsers might guess the file's type instead of strictly following what's declared. This uncertainty can let some browsers mistakenly show code or media in a way that attackers could exploit, such as tricking them into downloading malicious files. Developers need to handle this carefully because relying on MIME-sniffing can lead to unexpected behavior and security issues. It's a simple fix that goes a long way in preventing content type confusion in browsers that still perform their own guessing.

Configuration

Example

Example configuration:

---
security_tests:
  header_x_content_type_options:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.