logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure or unset HTTP headers - X-Content-Type-Options - Ruby

Need

Enforcement of secure content type options through the X-Content-Type-Options HTTP header

Context

  1. Usage of Ruby for building dynamic and object-oriented applications

Description

Insecure Code Example

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
end

In the above code, the `ApplicationController` is a Ruby on Rails controller that is the parent class of all other controllers in the application. This is where we can set HTTP headers that will be applied to all responses from this application. However, this code is vulnerable because it does not set the `X-Content-Type-Options` HTTP header. The `X-Content-Type-Options` header is used to protect against MIME type confusion attacks. It prevents the browser from doing MIME-type sniffing - a technique that can open up the site to attacks when the server does not send a MIME type in the `Content-Type` HTTP header, or sends an incorrect or generic one. If the `X-Content-Type-Options` header is not set, or if it is set with a value other than `nosniff`, the browser will try to interpret the content on its own, potentially leading to security vulnerabilities. In this code, the absence of the `X-Content-Type-Options` header makes the application vulnerable to such attacks.

Steps

  1. Add the X-Content-Type-Options HTTP header to the server's response.
  2. Set the value of the X-Content-Type-Options header to 'nosniff'.
  3. Ensure that the X-Content-Type-Options header is set for all responses, including error responses.
  4. Verify that the X-Content-Type-Options header is correctly set by inspecting the server's response headers.

Secure Code Example

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  before_action :set_headers

  private

  def set_headers
    response.headers['X-Content-Type-Options'] = 'nosniff'
  end
end

The above code fixes the vulnerability by setting the `X-Content-Type-Options` HTTP header to `nosniff` for all responses from the server. This is done using a `before_action` callback in the `ApplicationController`, which ensures that the `set_headers` method is called before every action in every controller in the application. The `set_headers` method sets the `X-Content-Type-Options` header in the server's response to `nosniff`. This tells the browser to not try to interpret content differently from the declared content type, which can help prevent certain types of attacks, such as MIME type confusion attacks. This fix ensures that the `X-Content-Type-Options` header is set for all responses, including error responses. After implementing this fix, you should verify that the `X-Content-Type-Options` header is correctly set by inspecting the server's response headers.

References

  • 132 - Insecure or unset HTTP headers - X-Content-Type-Options

    • Last updated

    2023/09/18