Insecure or unset HTTP headers - Content-Type
Need
Ensure secure and properly set HTTP headers, including the Content-Type header, in server responses.
Context
• Usage of TypeScript for static typing and enhanced developer experience in Node.js development
• Usage of Express for building web applications and handling HTTP requests
Description
1. Non compliant code
import express from 'express';
const app = express();
app.get('/api/data', (req, res) => {
const data = {
id: 1,
age: 25,...The vulnerability in this code is that it does not define the Content-Type header in the server response. By default, the `res.send()` method in Express sets the Content-Type header to `text/html`. However, in this code, the response is sending JSON data without explicitly setting the Content-Type header to `application/json`. This can lead to unexpected behaviors and misinterpretations by the client or other components in the application that rely on the Content-Type header to determine the type of data being sent. For example, if a client expects JSON data but receives a response with a Content-Type of `text/html`, it may not be able to parse the response correctly. To fix this vulnerability, the code should explicitly set the Content-Type header to `application/json` when sending JSON data in the response.
2. Steps
• Import the 'helmet' package
• Add the 'helmet' middleware to the Express app
• Set the 'Content-Type' header in the server response
3. Secure code example
import express from 'express';
import helmet from 'helmet';
const app = express();
app.use(helmet());
const data = {...The fixed code addresses the vulnerability by explicitly setting the Content-Type header in the server response. The code imports the necessary modules, including Express and Helmet, which is a middleware that helps secure the Express application. The Express application is created and the Helmet middleware is added using the `app.use()` method. Helmet helps to set various security-related HTTP headers, including the Content-Type header. A route is defined for the `/api/data` endpoint using the `app.get()` method. Inside the route handler, a data object is created with some sample data. To fix the vulnerability, the `res.setHeader()` method is used to set the Content-Type header to `application/json`, indicating that the response will be in JSON format. Finally, the response is sent using the `res.send()` method, which sends the data object as the response body. By explicitly setting the Content-Type header to `application/json`, the fixed code ensures that the response will be interpreted correctly by the client, avoiding any unexpected behaviors due to content type misinterpretations.