Insecure or unset HTTP headers - Content-Type - Typescript

Need

Ensure secure and properly set HTTP headers, including the Content-Type header, in server responses.

Context

Usage of TypeScript for static typing and enhanced developer experience in Node.js development
Usage of Express for building web applications and handling HTTP requests

Description

Insecure Code Example

import express from 'express';

const app = express();

app.get('/api/data', (req, res) => {
  const data = {
    id: 1,
    name: 'John Doe',
    age: 25,
  };

  res.send(data);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The vulnerability in this code is that it does not define the Content-Type header in the server response. By default, the `res.send()` method in Express sets the Content-Type header to `text/html`. However, in this code, the response is sending JSON data without explicitly setting the Content-Type header to `application/json`. This can lead to unexpected behaviors and misinterpretations by the client or other components in the application that rely on the Content-Type header to determine the type of data being sent. For example, if a client expects JSON data but receives a response with a Content-Type of `text/html`, it may not be able to parse the response correctly. To fix this vulnerability, the code should explicitly set the Content-Type header to `application/json` when sending JSON data in the response.

Steps

Import the 'helmet' package
Add the 'helmet' middleware to the Express app
Set the 'Content-Type' header in the server response

Secure Code Example

import express from 'express';
import helmet from 'helmet';

const app = express();

app.use(helmet());

app.get('/api/data', (req, res) => {
  const data = {
    id: 1,
    name: 'John Doe',
    age: 25,
  };

  res.setHeader('Content-Type', 'application/json');
  res.send(data);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The fixed code addresses the vulnerability by explicitly setting the Content-Type header in the server response. The code imports the necessary modules, including Express and Helmet, which is a middleware that helps secure the Express application. The Express application is created and the Helmet middleware is added using the `app.use()` method. Helmet helps to set various security-related HTTP headers, including the Content-Type header. A route is defined for the `/api/data` endpoint using the `app.get()` method. Inside the route handler, a data object is created with some sample data. To fix the vulnerability, the `res.setHeader()` method is used to set the Content-Type header to `application/json`, indicating that the response will be in JSON format. Finally, the response is sent using the `res.send()` method, which sends the data object as the response body. By explicitly setting the Content-Type header to `application/json`, the fixed code ensures that the response will be interpreted correctly by the client, avoiding any unexpected behaviors due to content type misinterpretations.

References

329 - Insecure or unset HTTP headers - Content-Type

Last updated

2023/09/18