Insecure or Unset HTTP Headers - Content-Type - Elixir

Need

To prevent unexpected behaviors due to content type misinterpretations

Context

Usage of Elixir 1.12 for functional programming on the Erlang virtual machine
Usage of Phoenix Framework 1.6 for web development

Description

Insecure Code Example

defmodule PageController do
  use MyApp.Web, :controller

  def index(conn, _params) do
    send_resp(conn, 200, "Hello, world!")
  end
end

In the insecure code example, the `index` function responds to a GET request but does not set the Content-Type header. This can lead to misinterpretation of the content type, which can cause unexpected behaviors in clients.

Steps

Always set the Content-Type header to explicitly define the content types allowed by the application
Use `put_resp_content_type` function provided by Phoenix framework to set the Content-Type header

Secure Code Example

defmodule PageController do
  use MyApp.Web, :controller

  def index(conn, _params) do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello, world!")
  end
end

In the secure code, the `index` function sets the Content-Type header to `text/plain`. This informs the client about the type of content in the response, preventing misinterpretations.

References

329 - Insecure or Unset HTTP Headers - Content-Type

Last updated

2023/09/18