Insecure or Unset HTTP Headers - Content-Type
Need
To prevent unexpected behaviors due to content type misinterpretations
Context
- Usage of Elixir 1.12 for functional programming on the Erlang virtual machine
- Usage of Phoenix Framework 1.6 for web development
Description
Non compliant code
defmodule PageController do
use MyApp.Web, :controller
def index(conn, _params) do
send_resp(conn, 200, "Hello, world!")
end
end
In the insecure code example, the index
function responds to a GET request but does not set the Content-Type header. This can lead to misinterpretation of the content type, which can cause unexpected behaviors in clients.
Steps
- Always set the Content-Type header to explicitly define the content types allowed by the application
- Use
put_resp_content_type
function provided by Phoenix framework to set the Content-Type header
Compliant code
defmodule PageController do
use MyApp.Web, :controller
def index(conn, _params) do
conn
|> put_resp_content_type("text/plain")
|> send_resp(200, "Hello, world!")
end
end
In the secure code, the index
function sets the Content-Type header to text/plain
. This informs the client about the type of content in the response, preventing misinterpretations.