Check of the HTTP content type
|Check||The HTTP content type is configured incorrectly|
|Description||The content type is a declaration that is usually placed in the header of a web page, the so-called HTTP header. This declaration defines the character set and the type of data that the page contains. If the definition is missing, the web browser will try to guess the content type; this can lead to security flaws such as Code-Page-Sniffing. This information is also important for rendering the web page correctly in every browser and on every computer. If a server sends a document to a User Agent (for example to the browser), it is helpful to supply some information about the file format in the content type field of the HTTP header. This information declares the MIME type and sends the character encoding of the document, such as text/html, text/plain, etc. to the browser.|
|Background||The content type is a meta data declaration which is placed in the header of a web page. This declaration defines the character set and the type of data that the page contains. This information is important for rendering the web page correctly in every browser and on every computer. The content type can be specified in the source code by entering a relatively short piece of code. The UTF-8 character set should be used.|
|Consequence||By specifying the correct header declaration, various cross-site scripting attacks can be prevented. If the character encoding is not specified, some web browser will try to interpret the source code, thus making certain attacks possible which require a different character set.|
|Solution/Tips||If the content type declaration is not configured correctly, your website is probably vulnerable to attacks.
text/html; charset=utf-8;<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Furthermore, the server must be configured to send the correct charset information. In order to make these changes on the server, particular access rights are required. For further information about the different server configuration options, please refer to W3.org.
Enter in the .htaccess file:
AddType 'text/html; charset=UTF-8' html
Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)