Skip to content

Protocol: X-Content-Type-Options¶

Identifier: header_x_content_type_options

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

If the X-Content-Type-Options header isn't set or is set incorrectly, browsers might guess the file's type instead of strictly following what's declared, potentially allowing attackers to exploit content type confusion.

How we test: We analyze HTTP response headers to detect if the X-Content-Type-Options header is missing or incorrectly configured. We check if browsers might perform MIME-sniffing that could lead to content type confusion attacks.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  header_x_content_type_options:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.