Invalid HTML Content

The Content Type header is set to text/html, which means that web browsers will try to parse the data as HTML. However, the data received is not actually HTML, which is why we believe this was a mistake. This is not necessary a security issue, but could lead to the browser trying to parse data that should not be parsed.

What can happen?

Depending on the situation this could lead to an XSS vulnerability. This means that an attacker might be able to execute JavaScript under the vulnerable site’s domain. Read our article about XSS for more detailed description of the risks.


This vulnerability often exists in callbacks. If the value of the callback parameter is printed directly on the page without first being sanitized together with Content Type set to text/html, this will result in an XSS vulnerability.

However, this finding also occurs if the developer has left files with just text in them, or error pages without proper HTML. These cases are not a security issue and can be marked as Accepted Risk to filter them out from future reports.


Add the Content Type header correctly. If you believe this has no security implications for your website, you can let it be and mark the finding as Accepted Risk, so that we do not warn you about it in future scans.

When in doubt, just send an email to and we will try to clear up any questions.