Control: Site headers must contain X-Content-Type-Options

Description

X-Content-Type-Options header with the 'nosniff' value helps protect against mime type sniffing. Mime type sniffing attacks are only effective in specific scenarios where they cause the browser to interpret text or binary content as HTML. For example, if a user uploads an avatar file named xss.html and the web application does not set a Content-type header when serving the image, the browser will try to determine the content type and will likely treat xss.html as an HTML file. The attacker can then direct users to xss.html and conduct a Cross-Site Scripting attack.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.security_headers_x_content_type_options

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.security_headers_x_content_type_options --share

Steampipe Tables

net_http_request

Params

Args	Name	Default	Description	Variable
$1	website_urls	`["https://github.com","https://microsoft.com"]`	Website URLs.	website_urls

SQL

with available_headers as (
  select
    url,
    array_agg(header.key)
  from
    net_http_request,
    jsonb_each(response_headers) as header
  where
    url in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
  group by
    url
)
select
  url as resource,
  case
    when array [ 'X-Content-Type-Options' ] < @ array_agg then 'ok'
    else 'alarm'
  end as status,
  case
    when array [ 'X-Content-Type-Options' ] < @ array_agg then url || ' contains required headers ''X-Content-Type-Options''.'
    else url || ' missing required headers ''X-Content-Type-Options''.'
  end as reason
from
  available_headers;