Insecure or Unset HTTP Headers

Insecure or Unset HTTP Headers - Content-Type

Need

To prevent unexpected behaviors due to content type misinterpretations

Context

• Usage of Elixir 1.12 for functional programming on the Erlang virtual machine

• Usage of Phoenix Framework 1.6 for web development

Description

1. Non compliant code

defmodule PageController do
  use MyApp.Web, :controller

  def index(conn, _params) do
    send_resp(conn, 200, "Hello, world!")
  end
end

In the insecure code example, the `index` function responds to a GET request but does not set the Content-Type header. This can lead to misinterpretation of the content type, which can cause unexpected behaviors in clients.

2. Steps

• Always set the Content-Type header to explicitly define the content types allowed by the application

• Use `put_resp_content_type` function provided by Phoenix framework to set the Content-Type header

3. Secure code example

defmodule PageController do
  use MyApp.Web, :controller

  def index(conn, _params) do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello, world!")
end...

In the secure code, the `index` function sets the Content-Type header to `text/plain`. This informs the client about the type of content in the response, preventing misinterpretations.

References

• 329. Insecure or Unset HTTP Headers - Content-Type

On this page