Skip to content

X-Content-Type-Options

Description

The Anti-MIME-Sniffing header X-Content-Type-Options is missing or not set to nosniff. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Remediation

Ensure that the application/web server sets the Content-Type header appropriately and that it sets the X-Content-Type-Options header to nosniff for all web pages. If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all or that can be directed by the web application/web server to not perform MIME-sniffing.

GraphQL Specific

Apollo To mitigate the risk of MIME type sniffing attacks in the Apollo framework engine, set the 'X-Content-Type-Options' header to 'nosniff' for all responses served by the server. This can be achieved by configuring the server middleware to include this header, ensuring that browsers adhere to the declared content type as specified by the 'Content-Type' header.
Awsappsync To mitigate the risk of MIME type sniffing which can lead to security vulnerabilities, it is recommended to set the 'X-Content-Type-Options' header to 'nosniff' in all responses served by your AWS AppSync API. This can be achieved by configuring your resolvers or using a Lambda function to set the header on HTTP responses. Ensure that your API's integration responses include the header 'X-Content-Type-Options: nosniff' to instruct browsers to strictly adhere to the declared content type.
Graphqlgo Set the 'X-Content-Type-Options' header to 'nosniff' in the GraphQL Go framework engine to prevent MIME type sniffing.
Graphqlruby Set the 'X-Content-Type-Options' header to 'nosniff' in the response to prevent MIME type sniffing.
Hasura Set the 'X-Content-Type-Options' header to 'nosniff' in the Hasura engine's response headers to prevent MIME type sniffing.
Agoo Set the 'X-Content-Type-Options' header to 'nosniff' in the Agoo framework to prevent MIME-sniffing vulnerabilities.
Ariadne Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Ariadne framework engine to prevent MIME-sniffing vulnerabilities.
Caliban Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Caliban framework engine to prevent MIME-sniffing vulnerabilities.
Dgraph Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Dgraph framework to prevent MIME-sniffing vulnerabilities.
Dianajl Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Dianajl framework engine to prevent MIME-sniffing vulnerabilities.
Directus Ensure the 'X-Content-Type-Options' header is set to 'nosniff' in the Directus framework to prevent MIME-sniffing vulnerabilities.
Flutter Ensure secure data handling by using the 'flutter_secure_storage' package for storing sensitive information.
Graphene Ensure proper validation and sanitization of input data in the Graphene framework to prevent injection attacks.
Graphqlapiforwp Ensure the GraphQL API for WordPress framework engine is updated to the latest version to mitigate known vulnerabilities and enhance security.
Graphqlgophergo Ensure that the `X-Content-Type-Options` header is set to `nosniff` in the GraphQL Gopher framework to prevent MIME-sniffing vulnerabilities.
Graphqljava Ensure proper validation and sanitization of input data in GraphQL queries to prevent injection attacks.
Graphqlphp Ensure proper input validation and sanitization in GraphQL queries to prevent injection attacks.
Graphqlyoga Ensure that the `X-Content-Type-Options` header is set to `nosniff` in the GraphQL Yoga framework to prevent MIME-sniffing vulnerabilities.
Hypergraphql Ensure proper validation and sanitization of input data in the HyperGraphQL framework to prevent injection attacks.
Jaal Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Jaal framework engine to prevent MIME-sniffing vulnerabilities.
Juniper Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Juniper framework engine to prevent MIME-sniffing vulnerabilities.
Lacinia Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Lacinia framework engine to prevent MIME-sniffing vulnerabilities.
Lighthouse Ensure the 'X-Content-Type-Options' header is set to 'nosniff' to prevent MIME-sniffing vulnerabilities.
Mercurius Ensure proper input validation and sanitization in Mercurius resolvers to prevent injection attacks.
Morpheusgraphql Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Morpheus GraphQL framework to prevent MIME-sniffing vulnerabilities.
Qglgen Ensure that the qglgen framework engine is configured to validate and sanitize all input data to prevent injection attacks.
Sangria Ensure proper validation and sanitization of input data in the Sangria GraphQL engine to prevent injection attacks.
Shopify Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Shopify framework to prevent MIME-sniffing vulnerabilities.
Stepzen Ensure the 'X-Content-Type-Options' header is set to 'nosniff' in the StepZen framework engine to prevent MIME-sniffing vulnerabilities.
Strawberry Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Strawberry Framework engine to prevent MIME-sniffing vulnerabilities.
Tartiflette Ensure proper configuration of the Tartiflette engine to validate and sanitize inputs to prevent injection attacks.
Wpgraphql Ensure that the 'X-Content-Type-Options' header is set to 'nosniff' in the wpgraphql framework to prevent MIME-sniffing vulnerabilities.

REST Specific

Asp_net In ASP.NET, ensure that all responses sent from the server include the 'X-Content-Type-Options' HTTP header with the value 'nosniff'. This can be achieved by adding a custom HTTP header in the web.config file or by setting the header directly in your application's response headers. 'nosniff'); to your application's response pipeline.
Ruby_on_rails In Ruby on Rails, set the 'X-Content-Type-Options' header to 'nosniff' in your application's configuration. Add 'config.action_dispatch.default_headers.merge!({'X-Content-Type-Options' => 'nosniff'})' to 'config/application.rb' or use 'response.headers['X-Content-Type-Options'] = 'nosniff'' in your controllers to prevent MIME-sniffing vulnerabilities.
Next_js In your Next.js application, ensure that the `X-Content-Type-Options` header is set to `nosniff` for all responses. You can achieve this by customizing the server configuration or by using middleware in the API routes to set the header appropriately. For example, you can add a custom server middleware that sets the header like so: `res.setHeader('X-Content-Type-Options', 'nosniff');` for each incoming request.
Laravel In Laravel, set the 'X-Content-Type-Options' header to 'nosniff' for all responses by adding 'Header set X-Content-Type-Options "nosniff"' to your web server's configuration or by using middleware to include it in the HTTP response headers.
Express_js In Express.js, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by using the helmet middleware, which can be installed via npm and included in your application as follows: `const helmet = require('helmet'); app.use(helmet.noSniff());`
Django In your Django application, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by using the 'SecurityMiddleware' provided by Django, which sets this header by default. To enable the middleware, add 'django.middleware.security.SecurityMiddleware' to the 'MIDDLEWARE' setting in your settings.py file. If you have custom response handling, you can also set the header manually by adding 'response['X-Content-Type-Options'] = 'nosniff'' to your HttpResponse objects.
Symfony In Symfony, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by adding a response header in your controller or by using an event listener to set the header globally. For example, in your controller, you can use '\\Symfony\\Component\\HttpFoundation\\Response' to set the header like so: '$response->headers->set('X-Content-Type-Options', 'nosniff');' Alternatively, create an event listener for 'kernel.response' and set the header for each response sent by the application.
Spring_boot In Spring Boot applications, ensure that the 'X-Content-Type-Options' header is set to 'nosniff' for all responses. This can be achieved by configuring the security headers in the SecurityConfig class using the HttpSecurity object, or by implementing a custom filter that adds this header to every response.
Flask In Flask, set the 'X-Content-Type-Options' header to 'nosniff' for all responses by adding the following line to your view functions or by using a response middleware: 'response.headers['X-Content-Type-Options'] = 'nosniff'.
Nuxt In your Nuxt.js application, ensure that the `X-Content-Type-Options` header is set to `nosniff` for all responses. You can achieve this by using the `@nuxtjs/helmet` module, which sets security-related headers. After installing the module, add `'@nuxtjs/helmet'` to the `modules` section of your `nuxt.config.js` file, and configure it to include the `X-Content-Type-Options` header by setting `helmet: { contentSecurityPolicy: false, xContentTypeOptions: 'nosniff' }` in the same file.
Fastapi In FastAPI, ensure that all responses include the 'X-Content-Type-Options' header with the value 'nosniff'. This can be achieved by using FastAPI's middleware to add this header to all outgoing responses. For example, you can create a middleware function that sets the 'X-Content-Type-Options' header to 'nosniff' and add it to your FastAPI application instance using the 'app.add_middleware' method.
Frappe Ensure the 'X-Content-Type-Options' header is set to 'nosniff' in the Frappe framework to prevent MIME-sniffing vulnerabilities.
Genzio Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Genzio framework engine to prevent MIME-sniffing vulnerabilities.
Gin Set the 'X-Content-Type-Options' header to 'nosniff' in the Gin framework by using the middleware to add the header to all responses.
Gorilla Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Gorilla framework to prevent MIME-sniffing vulnerabilities.
Hapi Set the 'X-Content-Type-Options' header to 'nosniff' in the Hapi server response to prevent MIME-sniffing.
Hono Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Hono framework engine to prevent MIME-sniffing vulnerabilities.
Jersey Ensure that the `X-Content-Type-Options` header is set to `nosniff` in the Jersey framework to prevent MIME-sniffing vulnerabilities.
Koa Set the 'X-Content-Type-Options' header to 'nosniff' in your Koa application to prevent MIME-sniffing by adding `ctx.set('X-Content-Type-Options', 'nosniff');` in your middleware.
Ktor Set the `X-Content-Type-Options` header to `nosniff` in the Ktor application by using the `install` feature with `DefaultHeaders` and configuring it to include the header.
Leptos Ensure proper configuration of the Leptos framework engine to prevent security vulnerabilities.
Macaron Ensure the `X-Content-Type-Options` header is set to `nosniff` in the Macaron framework to prevent MIME-sniffing vulnerabilities.
Phoenix Set the `X-Content-Type-Options` header to `nosniff` in the Phoenix framework by adding `plug Plug.Conn, put_resp_header('x-content-type-options', 'nosniff')` to your endpoint configuration.
Redwoodjs Ensure the `X-Content-Type-Options` header is set to `nosniff` in the RedwoodJS framework by configuring the server to include this header in HTTP responses, preventing MIME-sniffing vulnerabilities.
Rocket Ensure the 'X-Content-Type-Options' header is set to 'nosniff' in Rocket framework to prevent MIME-sniffing vulnerabilities.
Sveltekit Ensure the `X-Content-Type-Options` header is set to `nosniff` in your SvelteKit application by configuring your server to include this header in HTTP responses, preventing MIME-sniffing vulnerabilities.

Configuration

Identifier: protocol/header_x_content_type_options

Examples

Ignore this check

checks:
  protocol/header_x_content_type_options:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API7:2023
  • OWASP LLM: LLM02:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 16

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1