Skip to main content

X-Content-Type-Options: nosniff is set

ab-000008 · security-headers.headers.x-content-type
Severity: mediumactive

Why it matters

MIME-sniffing is the browser behavior where, if a server sends a response with a wrong or ambiguous Content-Type, the browser guesses what the content actually is and renders it accordingly. An attacker who can upload a file that looks like a script — even if it's served as text/plain — can trigger script execution if MIME-sniffing is allowed. CWE-430 (Deployment of Wrong Handler) and CWE-436 (Interpretation Conflict) both map to this class of confusion attack. The nosniff directive costs nothing to deploy and closes a class of content-confusion exploits that bypass file type restrictions on upload endpoints.

Severity rationale

Medium because MIME-type confusion attacks require attacker-controlled file upload but can escalate to script execution if content-type handling is ambiguous.

Remediation

Add X-Content-Type-Options: nosniff to your global header configuration. This is a zero-configuration, zero-compatibility-risk fix.

// next.config.js
headers: [{
  key: 'X-Content-Type-Options',
  value: 'nosniff'
}]

If you use Express, helmet() sets this automatically. For other frameworks, add the header in your response middleware. The value must be exactly nosniff — no other values are recognized by browsers.

Detection

  • ID: security-headers.headers.x-content-type

  • Severity: medium

  • What to look for: Count all header configuration locations (framework config, middleware, deployment config) and check for X-Content-Type-Options: nosniff in at least 1 of them.

  • Pass criteria: The X-Content-Type-Options: nosniff header is configured in at least 1 of: framework config (next.config.* headers array), middleware, deployment config (vercel.json, netlify.toml), or security middleware such as helmet(). The value must be exactly nosniff — no other values are valid for this header.

  • Fail criteria: The header is not configured anywhere in the project, or is set to a value other than nosniff.

  • Skip (N/A) when: Never.

  • Detail on fail: "X-Content-Type-Options: nosniff header not configured — browsers may MIME-sniff responses"

  • Remediation: This header prevents browsers from MIME-sniffing a response away from the declared content type, mitigating certain attack vectors:

    headers: [{
  key: 'X-Content-Type-Options',
  value: 'nosniff'
}]

External references

Taxons

injection-and-input-trust

History