Security Misconfiguration: Content sniffing protection :: Recipe Details

Recipe Name:

Security Misconfiguration: Content sniffing protection

Description:

Prevent MIME sniffing by disabling contentTypeOptions

Level:

error

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security
OWASP Top 10

Documentation

Prevent MIME type sniffing by disabling contentTypeOptions(). When the HTTP header X-Content-Type-Options is set to 'nosniff', an attacker will not be able to derive the data's file format by inspecting the byte stream.

Before

http.headers().contentTypeOptions();

After

http.headers().contentTypeOptions().disable();

References

Spring Security docs - Content Type Options

Recipe

id: scw:spring:content-sniffing
version: 10
metadata:
  name: 'Security Misconfiguration: Content sniffing protection'
  shortDescription: Prevent MIME sniffing by disabling contentTypeOptions
  level: error
  language: java
  scwCategory: misconfig:generic
  enabled: true
  descriptionFile: descriptions/SecurityMisconfigurationContentsniffingprotection.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    not:
      followedBy:
        methodcall:
          name: disable
    name: contentTypeOptions
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
    "on":
      methodcall:
        name: headers
availableFixes:
- name: Disable contentTypeOptions
  actions:
  - rewrite:
      to: '{{{ . }}}.disable()'