Insecure or unset HTTP headers - Content-Type
Need
Enforcement of secure and appropriate Content-Type headers in server responses
Context
- Usage of Go 1.16 for building high-performance and concurrent applications
- Usage of gin-gonic/gin for building web applications and APIs in Go
Description
Non compliant code
package main
import (
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/example", func(c *gin.Context) {
c.String(200, "OK")
})
r.Run()
}
In this code snippet, we are using the Gin web framework to create a simple HTTP server in Go. The server has one route, /example, which responds with a status code of 200 and a body of "OK".
The vulnerability lies in the fact that this response does not specify a Content-Type header. This can lead to security issues such as MIME-type confusion, which can be exploited by attackers to execute arbitrary code in the context of the web page.
The Content-Type header tells the client what the content type of the returned content actually is. Browsers use this information to process the content accordingly. If the Content-Type header is not set, browsers will try to interpret the content on their own, which can lead to unexpected results.
For example, a browser might interpret the content as HTML even though it's actually plain text. This can lead to cross-site scripting (XSS) attacks if the content includes user input.
In this case, since we're returning a plain text string, the Content-Type should be set to text/plain.
Steps
- Set the Content-Type header in the server responses.
- Choose an appropriate Content-Type value based on the type of data being returned (e.g., application/json for JSON data, text/html for HTML data, etc.).
- Use the SetHeader method in the gin.Context object to set the Content-Type header.
- Ensure that the Content-Type header is set before sending the response to the client.
- Test the application to verify that the Content-Type header is correctly set in the server responses.
Compliant code
package main
import (
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/example", func(c *gin.Context) {
c.Header("Content-Type", "text/plain; charset=utf-8")
c.String(200, "OK")
})
r.Run()
}
The updated code now includes a call to the Header method of the gin.Context object, which is used to set the Content-Type header in the server response. The Content-Type is set to text/plain; charset=utf-8 because the server is returning a plain text response.
This change ensures that the Content-Type header is always set in the server responses, which can help prevent certain types of security vulnerabilities related to the handling of server responses.
For example, if the Content-Type header is not set, a client might interpret the response body incorrectly, potentially leading to issues such as cross-site scripting (XSS) attacks. By explicitly setting the Content-Type header, we can help ensure that the response body is interpreted correctly by the client.
After making this change, you should test your application to verify that the Content-Type header is correctly set in the server responses. You can do this by sending a request to the server and checking the headers in the server response.