Insecure or unset HTTP headers - X-Content-Type-Options

Need

To prevent MIME sniffing attacks

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug Cowboy for building web applications in Elixir

• Usage of HTTP headers management

Description

1. Non compliant code

defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    |> put_resp_content_type("text/html")...

In this Elixir code snippet, the server response doesn't include the X-Content-Type-Options header, making the application vulnerable to MIME sniffing attacks.

2. Steps

• Set the X-Content-Type-Options header in the server responses.

• Set this header to nosniff to disable MIME type sniffing.

3. Secure code example

defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    |> put_resp_content_type("text/html")...

In this Elixir code snippet, the server response includes the X-Content-Type-Options header with a value of nosniff, preventing MIME type sniffing by the browser.

References

• 132. Insecure or unset HTTP headers - X-Content-Type-Options

On this page