保護DataHogo
Security Encyclopedia/Headers & Infrastructure
lowCWE-430A05:2021

Missing X-Content-Type-Options Header

The X-Content-Type-Options: nosniff header is absent, allowing browsers to guess (sniff) the content type of a response and potentially execute content as script.

How It Works

Older browsers try to be 'helpful' by guessing what a file is, even if the server says it's text/plain. If an attacker uploads a file with HTML or JavaScript content but a .txt extension, the browser might execute it as script. `nosniff` tells the browser to trust the declared Content-Type and nothing else.

Vulnerable Code
// BAD: no X-Content-Type-Options header
// A user uploads 'script.txt' containing <script>alert(1)</script>
// Browser may execute it as HTML if nosniff is missing
Secure Code
// GOOD: add nosniff to all responses
export default {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' }
      ]
    }];
  }
};

Real-World Example

MIME sniffing attacks were common on early social platforms that hosted user-uploaded content. A user would upload a 'profile picture' that was actually valid HTML with embedded script, which IE would execute.

How to Prevent It

  • Add X-Content-Type-Options: nosniff to all HTTP responses
  • Always set explicit Content-Type headers on API responses (application/json, not text/plain)
  • Validate uploaded file content (not just extension) before serving it
  • This is a quick win — one line in your Next.js headers config

Affected Technologies

Next.jsnodejsnginxapache

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Missing Content-Security-Policy Header

medium

The Content-Security-Policy (CSP) header is absent, leaving browsers without instructions on which sources of scripts, styles, and resources to trust.

CWE-358A05:2021

Missing X-Frame-Options Header

medium

The X-Frame-Options header is absent, allowing attackers to embed your app in an invisible iframe and trick users into clicking your UI elements (clickjacking).

CWE-1021A05:2021

Missing HTTP Strict Transport Security (HSTS)

medium

The Strict-Transport-Security header is absent, allowing browsers to connect over plain HTTP and enabling downgrade attacks where an attacker intercepts unencrypted traffic.

CWE-319A02:2021

Cookies Without Secure Flag

medium

Session cookies set without the Secure flag, allowing them to be transmitted over unencrypted HTTP connections and intercepted by attackers on the network.

CWE-614A02:2021