TcpSlaveAgentListener responds to HTTP GET requests with a canned "hello" response:

    if (header.startsWith("GET ")) {
        // this looks like an HTTP client
        respondHello(header, s);
        return;
{{    }}}

Web application scanners can perform GET requests on listening TCP sockets to find potential vulnerabilities. One such check is to ensure the response contains an X-Content-Type-Options header. Jenkins added this header to all HTTP responses back in 2015 to resolve SECURITY-177.

I don't believe the canned "hello" response from the TcpSlaveAgentListener is exploitable; however, it would be nice to include this header in the canned response so scanners don't flag it as a potential vulnerability going forward.

The change is simple:

diff --git a/core/src/main/java/hudson/TcpSlaveAgentListener.java b/core/src/main/java/hudson/TcpSlaveAgentListener.java
index 99c83866df..dbe280535d 100644
--- a/core/src/main/java/hudson/TcpSlaveAgentListener.java
+++ b/core/src/main/java/hudson/TcpSlaveAgentListener.java
@@ -315,6 +315,7 @@ public final class TcpSlaveAgentListener extends Thread {
                 if (header.startsWith("GET / ")) {
                     response = "HTTP/1.0 200 OK\r\n" +
                             "Content-Type: text/plain;charset=UTF-8\r\n" +
+                            "X-Content-Type-Options: nosniff\r\n" +
                             "\r\n" +
                             "Jenkins-Agent-Protocols: " + getAgentProtocolNames() + "\r\n" +
                             "Jenkins-Version: " + Jenkins.VERSION + "\r\n" +