X-Content-Type-Options: nosniff is set

ab-000008 · security-headers.headers.x-content-type

Severity: mediumactive

Why it matters

MIME-sniffing is the browser behavior where, if a server sends a response with a wrong or ambiguous Content-Type, the browser guesses what the content actually is and renders it accordingly. An attacker who can upload a file that looks like a script — even if it's served as text/plain — can trigger script execution if MIME-sniffing is allowed. CWE-430 (Deployment of Wrong Handler) and CWE-436 (Interpretation Conflict) both map to this class of confusion attack. The nosniff directive costs nothing to deploy and closes a class of content-confusion exploits that bypass file type restrictions on upload endpoints.

Severity rationale

Medium because MIME-type confusion attacks require attacker-controlled file upload but can escalate to script execution if content-type handling is ambiguous.

Remediation

Add X-Content-Type-Options: nosniff to your global header configuration. This is a zero-configuration, zero-compatibility-risk fix.

// next.config.js
headers: [{
  key: 'X-Content-Type-Options',
  value: 'nosniff'
}]

If you use Express, helmet() sets this automatically. For other frameworks, add the header in your response middleware. The value must be exactly nosniff — no other values are recognized by browsers.

Detection

ID: x-content-type
Severity: medium
What to look for: Count all header configuration locations (framework config, middleware, deployment config) and check for X-Content-Type-Options: nosniff in at least 1 of them.
Pass criteria: The X-Content-Type-Options: nosniff header is configured in at least 1 of: framework config (next.config.* headers array), middleware, deployment config (vercel.json, netlify.toml), or security middleware such as helmet(). The value must be exactly nosniff — no other values are valid for this header.
Fail criteria: The header is not configured anywhere in the project, or is set to a value other than nosniff.
Skip (N/A) when: Never.
Detail on fail: "X-Content-Type-Options: nosniff header not configured — browsers may MIME-sniff responses"
Remediation: This header prevents browsers from MIME-sniffing a response away from the declared content type, mitigating certain attack vectors:
```
headers: [{
  key: 'X-Content-Type-Options',
  value: 'nosniff'
}]
```

External references

cwe · CWE-430 — Deployment of Wrong Handler
cwe · CWE-436 — Interpretation Conflict
owasp:2021 · A05 — Security Misconfiguration

Taxons

injection-and-input-trust

History

2026-04-17·v1.0.0·Initial import from security-headers·automated

Why it matters

Remediation

Add X-Content-Type-Options: nosniff to your global header configuration. This is a zero-configuration, zero-compatibility-risk fix.

// next.config.js
headers: [{
  key: 'X-Content-Type-Options',
  value: 'nosniff'
}]

Detection

ID: x-content-type
Severity: medium
What to look for: Count all header configuration locations (framework config, middleware, deployment config) and check for X-Content-Type-Options: nosniff in at least 1 of them.
Pass criteria: The X-Content-Type-Options: nosniff header is configured in at least 1 of: framework config (next.config.* headers array), middleware, deployment config (vercel.json, netlify.toml), or security middleware such as helmet(). The value must be exactly nosniff — no other values are valid for this header.
Fail criteria: The header is not configured anywhere in the project, or is set to a value other than nosniff.
Skip (N/A) when: Never.
Detail on fail: "X-Content-Type-Options: nosniff header not configured — browsers may MIME-sniff responses"
Remediation: This header prevents browsers from MIME-sniffing a response away from the declared content type, mitigating certain attack vectors:
```
headers: [{
  key: 'X-Content-Type-Options',
  value: 'nosniff'
}]
```