Medium Severity
Missing X-Content-Type-Options
Prevents the browser from "guessing" the file type (MIME sniffing) and forces it to trust the server's declared type.
Business Risk
If you allow users to upload images, an attacker might upload a file named `image.jpg` that actually contains malicious JavaScript. Without this header, Internet Explorer and older Chrome versions might look at the file content, see script tags, and execute it as JavaScript (XSS). This header says "No, I said it is a JPEG, treat it as a JPEG."
Technical Details
The only valid value is `nosniff`. This is a set-and-forget header that should be on every response.
Remediation Guide
External References
Verify Your Fix
Applied the configuration change? Run a live scan to confirm the vulnerability is patched.