Undefined Content-Type Header

  • CWE 16
  • WASC 15
  • OWASP 2013-A5
  • OWASP 2017-A6

Content-Type header is undefined which means the website might be at risk of MIME-sniffing attacks.

  1. Send the appropriate Content-Type header matching the type of the resource.

  2. Send X-Content-Type-Options header with the only valid value of "nosniff". It is a way to say that the webmasters knew what they were doing.

    X-Content-Type-Options: nosniff