Missing Content-Type header
Description
The Content-Type
header ensures that user agents correctly interpret the data being received. Without this header
being sent, the browser may misinterpret the data, leading to MIME confusion attacks. If an attacker were able
to upload files that are accessible by using a browser, they could upload files that may be interpreted as
HTML and so execute Cross-Site Scripting (XSS) attacks.
Remediation
Ensure all resources return a proper Content-Type
header that matches their format. As an example,
when returning JavaScript files, the response header should be: Content-Type: application/javascript
For added protection, we recommend that all resources return the X-Content-Type-Options: nosniff
header to disable user agents from mis-interpreting resources.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
16.1 | true | 16 | Passive | Low |
Links
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support