Missing Content-Type Header
Description
The application serves HTTP responses without specifying a Content-Type header. This header instructs the browser how to interpret and render the response data. When absent, browsers may attempt to guess the content type through MIME sniffing, which can lead to incorrect content interpretation and potential security vulnerabilities such as cross-site scripting (XSS) if malicious content is misinterpreted as executable code.
Remediation
Configure your web server or application to explicitly set the Content-Type header for all HTTP responses. The header value should accurately reflect the actual content being served.
For HTML content:
Content-Type: text/html; charset=UTF-8For JSON APIs:
Content-Type: application/json; charset=UTF-8For plain text:
Content-Type: text/plain; charset=UTF-8
Implementation examples:
Apache (.htaccess or httpd.conf):
<FilesMatch "\.html$"> Header set Content-Type "text/html; charset=UTF-8" </FilesMatch>Nginx:
location / {
default_type text/html;
charset UTF-8;
}Node.js/Express:res.setHeader('Content-Type', 'text/html; charset=UTF-8');
res.send(content);Additionally, consider implementing the X-Content-Type-Options: nosniff header to prevent browsers from MIME sniffing and enforce the declared Content-Type.