Insecure or unset HTTP headers - Accept
Need
To prevent unexpected behaviors due to content type misinterpretations
Context
- Usage of Elixir (v1.12+) for building scalable and concurrent applications
- Usage of Plug.Router for handling HTTP requests
Description
Non compliant code
defmodule MyApp.Router do
use Plug.Router
plug :match
plug :dispatch
match _ do
send_resp(conn, 200, "Hello, world!")
end
end
The Elixir code does not set the Accept header or validate the Content-Type of the incoming requests. This could lead to unexpected behaviors when the application interprets incorrect content types.
Steps
- Check the Content-Type of the incoming requests
- Only allow the application/json content type
- Respond with a 406 Not Acceptable status code if the Content-Type is different
Compliant code
defmodule MyApp.Router do
use Plug.Router
plug :match
plug :dispatch
match _ do
case get_req_header(conn, "content-type") do
["application/json"] -> send_resp(conn, 200, "Hello, world!")
_ -> send_resp(conn, 406, "Not Acceptable")
end
end
end
The secure Elixir code checks the Content-Type of the incoming requests and only allows application/json. If the Content-Type is different, the application responds with a 406 Not Acceptable status code.