Insecure or unset HTTP headers - Accept

Need

To prevent unexpected behaviors due to content type misinterpretations

Context

Usage of Elixir (v1.12+) for building scalable and concurrent applications
Usage of Plug.Router for handling HTTP requests

Description

Non compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
    send_resp(conn, 200, "Hello, world!")
  end
end

The Elixir code does not set the Accept header or validate the Content-Type of the incoming requests. This could lead to unexpected behaviors when the application interprets incorrect content types.

Steps

Check the Content-Type of the incoming requests
Only allow the application/json content type
Respond with a 406 Not Acceptable status code if the Content-Type is different

Compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
    case get_req_header(conn, "content-type") do
      ["application/json"] -> send_resp(conn, 200, "Hello, world!")
      _ -> send_resp(conn, 406, "Not Acceptable")
    end
  end
end

The secure Elixir code checks the Content-Type of the incoming requests and only allows application/json. If the Content-Type is different, the application responds with a 406 Not Acceptable status code.

References

153.Insecure or unset HTTP headers - Accept

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​