X-Content-Type-Options (XCTO) Not Implemented
Description
The X-Content-Type-Options header is a security control that prevents browsers from performing MIME type sniffing, a behavior where browsers attempt to detect the actual content type of a response by examining its content rather than trusting the Content-Type header sent by the server. When this header is missing, browsers may incorrectly interpret response data, potentially rendering malicious content in an unsafe context. For example, a file uploaded as an image could be interpreted and executed as JavaScript if the browser detects script-like content. This header also enables Cross-Origin Read Blocking (CORB), which provides additional protection against cross-origin information leakage.
Remediation
Configure your web server or application to send the X-Content-Type-Options header with the value "nosniff" for all HTTP responses. This instructs browsers to strictly follow the Content-Type header provided by the server and prevents MIME type sniffing.
Implementation Examples:
Apache (.htaccess or httpd.conf):
Header always set X-Content-Type-Options "nosniff"
Nginx (nginx.conf):
add_header X-Content-Type-Options "nosniff" always;
IIS (web.config):
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
</system.webServer>Express.js (Node.js):
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
next();
});ASP.NET (Global.asax.cs):
protected void Application_BeginRequest(object sender, EventArgs e)
{
Response.Headers.Add("X-Content-Type-Options", "nosniff");
}After implementation, verify the header is present in HTTP responses using browser developer tools or security scanning tools.