Missing "X-Content-Type-Options" Response Header
Description
The API does not set the "X-Content-Type-Options: nosniff" header in its responses. This HTTP header prevents browsers from trying to guess or "sniff" the type of a response, regardless of the response's Content-Type header. Without the X-Content-Type-Options header, the user's browser might mistakenly detect untrusted content (e.g., user-uploaded content) as being HTML or JavaScript, and execute it. This can be leveraged by an attacker to perform content injection attacks such as Cross-Site Scripting (XSS).
Remediation
Configure your server or application to include the 'X-Content-Type-Options: nosniff' header in all responses. This ensures the browser respects the declared Content-Type and does not attempt to guess it. If using a framework or library, check if it can automatically set this header; otherwise, add it manually at the application or server configuration level. Regularly review and test your HTTP response headers to ensure 'nosniff' is consistently applied. Additionally, a Web Application Firewall (WAF) can help detect and block malicious file uploads or suspicious traffic patterns that rely on MIME-sniffing.
References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Optionshttps://owasp.org/www-project-secure-headers/#x-content-type-optionshttps://owasp.org/www-community/attacks/xss/Severity
LOWOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
3.1
3.1