DescriptionPCI compliance reports feature an issue called 'HTTP Security Header notdetected', with a sub-section on X-Content-Type-Options HTTP header on FortiOS web administration interface (usually on port 443).
"""
X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is 'nosniff' if the server returns.
X-Content-Type-Options: 'nosniff' in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype.
"""
Based on the test described in [2], MIME sniffing [1] is only possible on old versions of the Internet Explorer browser [3]; since FortiOS officially only supports modern Edge, Firefox, Chrome and Safari browsers, the risk is inexistant in practice.
ScopeFortiOS web administration interface.SolutionAvoid using Internet Explorer to access the FortiOS administration interface and always keep the browser up to date.Reference.[1] https://www.keycdn.com/support/what-is-mime-sniffing
[2] http://pwndizzle.blogspot.com/2015/07/xss-extensions-and-content-types.html
[3] https://blogs.msdn.microsoft.com/ie/2010/10/26/mime-handling-changes-in-internet-explorer/