logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure or unset HTTP headers - X-Content-Type-Options - Scala

Need

Enforcement of secure content type options

Context

  1. Usage of Scala for building scalable and functional applications
  2. Usage of play.api.mvc for handling HTTP requests and responses in Play Framework

Description

Insecure Code Example

import play.api.mvc._

object Application extends Controller {
  def index = Action {
    Ok("Hello, World!")
  }
}

This code represents a simple HTTP server that responds to requests at the root URL ("/") with the text "Hello, World!". The `Action` function is used to handle HTTP requests and generate HTTP responses. In this case, the `Ok` function is used to generate an HTTP response with a 200 status code and the text "Hello, World!" as the body. However, this code does not include the X-Content-Type-Options HTTP header in its response. The X-Content-Type-Options HTTP header is used to protect against MIME type confusion attacks, which can lead to security vulnerabilities. By not including this header, the server is potentially vulnerable to these types of attacks. To include the X-Content-Type-Options HTTP header, you would need to modify the `Ok` function call to include it, like so: ```scala Ok("Hello, World!").withHeaders("X-Content-Type-Options" -> "nosniff") ``` This will include the X-Content-Type-Options HTTP header with the value "nosniff", which tells the browser to not try to interpret the content as a different MIME type than what is specified by the Content-Type HTTP header.

Steps

  1. Add the X-Content-Type-Options HTTP header to the server's response
  2. Set the value of the X-Content-Type-Options header to 'nosniff'
  3. Ensure that the X-Content-Type-Options header is set for all responses, including error responses
  4. Verify that the X-Content-Type-Options header is correctly set by inspecting the server's response headers

Secure Code Example

import play.api.mvc._

object Application extends Controller {
  def index = Action { request =>
    Ok("Hello, World!").withHeaders("X-Content-Type-Options" -> "nosniff")
  }
}

The above code fixes the vulnerability by adding the `X-Content-Type-Options` HTTP header to the server's response. The value of the `X-Content-Type-Options` header is set to `nosniff`. This tells the browser to not try to interpret the content as something else other than the declared content type. The `withHeaders("X-Content-Type-Options" -> "nosniff")` is used to add the HTTP header to the response. This ensures that the `X-Content-Type-Options` header is set for all responses, including error responses. After implementing this fix, you should verify that the `X-Content-Type-Options` header is correctly set by inspecting the server's response headers. This can be done using browser developer tools or a tool like curl or Postman.

References

  • 132 - Insecure or unset HTTP headers - X-Content-Type-Options

    • Last updated

    2023/09/18