Missing Content-Type header


The Content-Type header ensures that user agents correctly interpret the data being received. Without this header being sent, the browser may misinterpret the data, leading to MIME confusion attacks. If an attacker were able to upload files that are accessible by using a browser, they could upload files that may be interpreted as HTML and so execute Cross-Site Scripting (XSS) attacks.


Ensure all resources return a proper Content-Type header that matches their format. As an example, when returning JavaScript files, the response header should be: Content-Type: application/javascript

For added protection, we recommend that all resources return the X-Content-Type-Options: nosniff header to disable user agents from mis-interpreting resources.