Abstract:
The web.config file does not include the required header to mitigate MIME sniffing attacks
Explanation:
MIME sniffing, is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it.
If MIME sniffing is not explicitly disabled, some browsers can be manipulated into interpreting data in a way that is not
intended, allowing for cross-site scripting attacks.
For each page that could contain user controllable content, you should use the HTTP Header X-Content-Type-Options: nosniff.
Recommendations:
To mitigate this finding, the programmer can either: (1) set it globally for all pages in the application in the web.config file, or (2)
set the required header page by page for only those pages that might contain user-controllable content.
To set it globally add the header in the web.config file for the application being hosted by Internet Information Services (IIS):
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff"/>
</customHeaders>
</httpProtocol>
</system.webServer>
The following examples shows how to add the header to the global Application_BeginRequest method:
void Application_BeginRequest(object sender, EventArgs e)
{
this.Response.Headers["X-Content-Type-Options"] = "nosniff";
}
The following example shows how to add it to a page by implementing a custom HTTP module using the IHttpModule interface
public class XContentTypeOptionsModule : IHttpModule
{
...
void context_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpApplication application = sender as HttpApplication;
if (application == null) return;
if (application.Response.Headers["X-Content-Type-Options"] != null) return;
application.Response.Headers.Add("X-Content-Type-Options", "nosniff");
}
}