Insecure or unset HTTP headers

Insecure or unset HTTP headers - Accept

Need

To prevent unexpected behaviors due to content type misinterpretations

Context

• Usage of Elixir (v1.12+) for building scalable and concurrent applications

• Usage of Plug.Router for handling HTTP requests

Description

1. Non compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
  end...

The Elixir code does not set the Accept header or validate the Content-Type of the incoming requests. This could lead to unexpected behaviors when the application interprets incorrect content types.

2. Steps

• Check the Content-Type of the incoming requests

• Only allow the application/json content type

• Respond with a 406 Not Acceptable status code if the Content-Type is different

3. Secure code example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
      ["application/json"] -> send_resp(conn, 200, "Hello, world!")...

The secure Elixir code checks the Content-Type of the incoming requests and only allows application/json. If the Content-Type is different, the application responds with a 406 Not Acceptable status code.

References

• 153. Insecure or unset HTTP headers - Accept

On this page