Protect yourself from malicious exploitation via MIME sniffing.
MIME-Type sniffing explained
Internet Explorer and Chrome browsers have a feature called "MIME-Type sniffing" that automatically detects a web resource's type. This means, for example, that a resource identified as an image can be read as a script if its content is a script.
This property allows a malicious person to send a file to your website to inject malicious code. We advise you to disable the MIME-Type sniffing to limit such activity.
Chrome has been working on a feature called Site Isolation which provides extensive mitigation against exploitation of these types of vulnerabilities. Site Isolation is more effective when MIME types are correct.
How to prevent MIME-Type sniffing
Configure a "X-Content-Type-Options" HTTP header. Add the "X-Content-Type-Options" HTTP header in the responses of each resource, associated to the "nosniff" value. It allows you to guard against such misinterpretations of your resources.
https://www.justegeek.fr/proteger-un-peu-plus-son-site-avec-la-balise-x-content-type-options/
HTTP headers are more efficient than the http-equiv meta tags.
The <meta http-equiv=/> tags
The http-equiv meta tags allow to communicate to the web browser information equivalent to the ones of HTTP headers. For example, the meta <meta http-equiv=content-type/> will have the same consequences than the HTTP Content-Type header.
Two points don’t stimulate the use of http-equiv meta tags:
Going through the meta requires to interpret the beginning of the HTML page, which is slower than going through the HTTP headers in terms of performance
If the HTTP header is already present, the meta is ignored
In which cases are the <meta http-equiv=/> useful?
Only one case can justify the presence of these meta tags: if you don’t have access to the configuration of your server, and that is to say to the HTTP headers.
However, we advice you to use a configurable server so that you can establish the most efficient site possible.
This page contains 1 http-equiv meta tag. If possible, you should replace it:
x-ua-compatible
<p>, <li>, <button>, <legend>, <caption>, <figcaption> and <quote> elements must not be empty because if they are, some screen readers will have difficulties interpreting their presence.
Remove these empty elements from you code or decorate them with the aria-hidden attribute so that the screen readers ignore them.
Simon