Missing Content-Type header

Description

The Content-Type header ensures that user agents correctly interpret the data being received. Without this header being sent, the browser may misinterpret the data, leading to MIME confusion attacks. If an attacker were able to upload files that are accessible by using a browser, they could upload files that may be interpreted as HTML and so execute Cross-Site Scripting (XSS) attacks.

Remediation

Ensure all resources return a proper Content-Type header that matches their format. As an example, when returning JavaScript files, the response header should be: Content-Type: application/javascript

For added protection, we recommend that all resources return the X-Content-Type-Options: nosniff header to disable user agents from mis-interpreting resources.

Details

ID	Aggregated	CWE	Type	Risk
16.1	true	16	Passive	Low

Help & feedback

Docs

Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.

Product

Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Join First Look to help shape new features.

Feature availability and product trials

View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.

Get Help

If you didn't find what you were looking for, search the docs.

If you want help with something specific and could use community support, post on the GitLab forum.

For problems setting up or using this feature (depending on your GitLab subscription).

Request support