debian-mirror-gitlab/doc/user/application_security/dast/checks/16.1.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

34 lines
1.3 KiB
Markdown
Raw Normal View History

2021-12-11 22:18:48 +05:30
---
stage: Secure
group: Dynamic Analysis
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2021-12-11 22:18:48 +05:30
---
# Missing Content-Type header
## Description
The `Content-Type` header ensures that user agents correctly interpret the data being received. Without this header
being sent, the browser may misinterpret the data, leading to MIME confusion attacks. If an attacker were able
to upload files that are accessible by using a browser, they could upload files that may be interpreted as
HTML and so execute Cross-Site Scripting (XSS) attacks.
## Remediation
Ensure all resources return a proper `Content-Type` header that matches their format. As an example,
when returning JavaScript files, the response header should be: `Content-Type: application/javascript`
For added protection, we recommend that all resources return the `X-Content-Type-Options: nosniff`
header to disable user agents from mis-interpreting resources.
## Details
| ID | Aggregated | CWE | Type | Risk |
|:---|:--------|:--------|:--------|:--------|
| 16.1 | true | 16 | Passive | Low |
## Links
2022-01-26 12:08:38 +05:30
- [CWE](https://cwe.mitre.org/data/definitions/16.html)
2021-12-11 22:18:48 +05:30
- [Mozilla Blog on MIME Confusion attacks](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)