Loading controls...
Control: Site headers must contain X-Content-Type-Options
Description
X-Content-Type-Options header with the 'nosniff' value helps protect against mime type sniffing. Mime type sniffing attacks are only effective in specific scenarios where they cause the browser to interpret text or binary content as HTML. For example, if a user uploads an avatar file named xss.html and the web application does not set a Content-type header when serving the image, the browser will try to determine the content type and will likely treat xss.html as an HTML file. The attacker can then direct users to xss.html and conduct a Cross-Site Scripting attack.
Usage
Run the control in your terminal:
steampipe check net_insights.control.security_headers_x_content_type_optionsSnapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share net_insights.control.security_headers_x_content_type_optionsPlugins & Tables
Params
| Args | Name | Default | Description | Variable |
|---|---|---|---|---|
| $1 | website_urls | | Website URLs. |
SQL
with available_headers as ( select url, array_agg(header.key) from net_http_request, jsonb_each(response_headers) as header where url in ( select jsonb_array_elements_text(to_jsonb($1 :: text [ ])) ) group by url)select url as resource, case when array [ 'X-Content-Type-Options' ] < @ array_agg then 'ok' else 'alarm' end as status, case when array [ 'X-Content-Type-Options' ] < @ array_agg then url || ' contains required headers ''X-Content-Type-Options''.' else url || ' missing required headers ''X-Content-Type-Options''.' end as reasonfrom available_headers;