In the responses of the application, the X-Content-Type-Options header was not identified.
This header protects against attacks based on the so-called MIME-sniffing or guessing the MIME type of a response by web browsers based on the content of the response instead of Content-Type header value. This may lead to the browser being forced to load the resource as HTML, even if its type is e.g. application/json. As a result, an XSS attack may be performed.
A header should be added in all server responses: