The web application does not return an X-Content-Type-Options header. Certain browsers may attempt to "sniff" the MIME type of pages returned by the server, which can create an exploitable vulnerability if the browser attempts to process a response as the incorrect MIME type, or the response itself has been influenced by an attacker in an attempt to deliberately deceive the MIME type sniffer. Inclusion of the X-Content-Type-Options header with the "nosniff" value instructs the browser to accept Content-Type headers returned by the server as authoritative, and not to attempt MIME type sniffing.
The web application does not return an X-Content-Type-Options header. Certain browsers may attempt to "sniff" the MIME type of pages returned by the server, which can create an exploitable vulnerability if the browser attempts to process a response as the incorrect MIME type, or the response itself has been influenced by an attacker in an attempt to deliberately deceive the MIME type sniffer. Inclusion of the X-Content-Type-Options header with the "nosniff" value instructs the browser to accept Content-Type headers returned by the server as authoritative, and not to attempt MIME type sniffing.
Severity: Low
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score: 3.1
Recommendation: Return the X-Content-Type-Options HTTP header in application responses with the value "nosniff".