| VID |
210179 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
Anti-MIME-Sniffing Header X-Content-Type-Options is not set to 'nosniff'. This may cause older versions of Internet Explorer and Chrome to perform MIME sniffing in the response body, causing the response body to be interpreted and displayed as something other than the declared content type.
Make sure your application / web server has properly set the Content-Type header and set the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, you should use a modern standards-compliant web browser that can instruct the end user not to do any MIME sniffing at all, or to instruct the web application / web server not to perform MIME sniffing.
* References:
https://www.owasp.org/index.php/Security_Headers
* Platforms Affected:
Any operating system Any version |
| Recommendation |
* Define the following in Apache's httpd.conf file:
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self' ; img-src 'self'; style-src 'self' 'unsafe-inline';connect-src http:; child-src 'unsafe-inline'"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1;mode=block"
Header set Cache-Control "no-store"
Header set Pragma "no-cache"
Header set X-Frame-Options SAMEORIGIN
</IfModule>
*WAS sends a header to the response using a filter.
response.setHeader("X-Content-Type-Options","nosniff"); |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
