Insecure or unset HTTP headers - X-Content-Type-Options

Need

To prevent MIME sniffing attacks

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug Cowboy for building web applications in Elixir
Usage of HTTP headers management

Description

Non compliant code

defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    conn
    |> put_resp_content_type("text/html")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the server response doesn't include the X-Content-Type-Options header, making the application vulnerable to MIME sniffing attacks.

Steps

Set the X-Content-Type-Options header in the server responses.
Set this header to nosniff to disable MIME type sniffing.

Compliant code

defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    conn
    |> put_resp_content_type("text/html")
    |> put_resp_header("x-content-type-options", "nosniff")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the server response includes the X-Content-Type-Options header with a value of nosniff, preventing MIME type sniffing by the browser.

References

132.Insecure or unset HTTP headers - X-Content-Type-Options

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​