Security: Missing X-Content-Type-Options Header

back to issues overview

Missing X-Content-Type-Options Header

URLs that are missing the ‘X-Content-Type-Options’ response header with a nosniff value.

In the absence of a MIME type, browsers may ‘sniff’ to guess the content type to interpret it correctly for users.

However, this can be exploited by attackers who can try and load malicious code, such as JavaScript via an image they have compromised.

How to Analyse in the SEO Spider

Use the ‘Security’ tab and ‘Missing X-Content-Type-Options Header’ filter to view these URLs and export all URLs using the ‘Export’ button.

What Triggers This Issue

This issue is triggered when a URL is missing the ‘X-Content-Type-Options’ response header with a nosniff value.

For example:

X-Content-Type-Options: nosniff

How To Fix

To minimise security issues, the X-Content-Type-Options response header should be supplied and set to nosniff.

This instructs browsers to rely only on the Content-Type header and block anything that does not match accurately. This also means the content-type set needs to be accurate.

Further Reading

Back to top