Missing Content Type

The file is being served without a Content Type header and such files are treated as HTML by some browsers. As the data is treated as HTML this could lead to an XSS depending on the circumstances.

What can happen?

Internet Explorer will parse files without a Content Type header as HTML. This does not necessarily have security implications, but if the file’s content is controlled by a user it will lead to an XSS vulnerability.

See our article about XSS for more details about the risk.


Make sure that every type is intentionally served with a Content Type header. Unfortunately it is hard to give any general advice on this as the process varies depending on how the page is generated.