Need

Enforce secure and properly defined Content-Type headers in server responses

Context

• Usage of Dart 2.0+ for developing scalable and efficient applications
• Usage of Shelf for managing and organizing data in a Node.js application

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  return shelf.Response.ok('Hello, World!');
}
        
        

In the above code, a server response is being created using the shelf.Response.ok method, which creates a successful HTTP response with a 200 status code. The response body is set to 'Hello, World!', but no headers are defined.

This is a problem because the server does not specify the Content-Type header in its response. The Content-Type HTTP header is important because it tells the client what the content type of the returned content actually is. Browsers use this information to process the content correctly. If this header is not set, the client has to guess the content type, which can lead to security issues.

For example, an attacker might be able to trick the client into interpreting the content as something malicious, like a script, instead of the intended type. Therefore, it's always recommended to explicitly set the Content-Type header in server responses.

Steps

• Identify where the server response is being created.
• Add the 'Content-Type' header to the response.
• Set the 'Content-Type' header to the appropriate value for the data being returned. For example, if you're returning HTML, you would set it to 'text/html'. If you're returning JSON, you would set it to 'application/json'.
• Ensure that the 'Content-Type' header is set for all server responses, not just some of them.

Compliant code

        import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  return shelf.Response.ok(
    'Hello, World!',
    headers: {'Content-Type': 'text/plain'},
  );
}
        
        

The original code was vulnerable because it did not specify the Content-Type HTTP header in the server response. This could potentially lead to security issues such as MIME type confusion attacks.

The fixed code addresses this vulnerability by explicitly setting the Content-Type header in the server response. In this case, since the server is returning a plain text message ('Hello, World!'), the Content-Type is set to 'text/plain'.

This ensures that the client receiving the response knows how to correctly interpret the data. It's important to note that the Content-Type should be set to the appropriate value depending on the type of data being returned. For example, if the server was returning a JSON object, the Content-Type would be set to 'application/json'.

By always setting the Content-Type header in your server responses, you can help protect your application from certain types of security vulnerabilities.

References

• 329. Insecure or unset HTTP headers - Content-Type