Your API can return perfectly valid JSON all day long. But if the browser is allowed to guess the content type, it may reinterpret your response as something executable.
Nothing crashes. Nothing looks broken. And that’s exactly why this issue survives.
I tested a simple baseline check:
X-Content-Type-Options: nosniff
Result?
- Header missing
- Browser free to “sniff” the response
- Real, browser-exploitable attack surface
- Fail, not a warning
Teams often say: “But it’s just an API.”
Modern APIs are consumed from browsers, share domains with frontend assets, and return user-influenced content. MIME sniffing doesn’t care about your architecture diagram.
This is a one-line fix — and one of the most commonly forgotten ones.
👉 Full story: https://rentgen.io/api-stories/mime-sniffing-protection.html
Top comments (0)