ReddAPI: Content Sniffing not disabled

2014-05-18T13:22:29
ID H1:12457
Type hackerone
Reporter chmosama
Modified 2014-10-28T16:46:29

Description

URL :- https://api.reddapi.com/

Issue description :- There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly. This can make the web application vulnerable against Cross-Site Scripting (XSS) attacks. E.g. the Internet Explorer and Safari treat responses with the content type text/plain as HTML, if they contain HTML tags.

Issue remediation :- Set the following HTTP header at least in all responses which contain user input: X-Content-Type-Options: nosniff