Details
Description
In the responses of the application, the X-Content-Type-Options header was not identified.
This header protects against attacks based on the so-called MIME-sniffing or guessing the MIME type of a response by web browsers based on the content of the response instead of Content-Type header value. This may lead to the browser being forced to load the resource as HTML, even if its type is e.g. application/json. As a result, an XSS attack may be performed.
More information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
A header should be added in all server responses:
X-Content-Type-Options: nosniff