When you are using the default MIME-Type configuration and your application allows uploading files, it can be a security issue.
Example:
A user uploads a file with HTML/JavaScript content using no file extension.
In the Apache default configuration if you access the file it will have no Content-Type
. Some browsers will guess/autodetect it as HTML and now you are vulnerable to XSS.
To prevent this, you can set a default Content-Type (e.g. plain/text
or application/octet-stream
).