Insecure or unset HTTP headers - X-Content-Type-Options - Elixir

Insecure or unset HTTP headers - X-Content-Type-Options - Elixir

Need

To prevent MIME sniffing attacks

Context

  • Usage of Elixir for building scalable and fault-tolerant applications
  • Usage of Plug Cowboy for building web applications in Elixir
  • Usage of HTTP headers management

Description

Non compliant code

        defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    conn
    |> put_resp_content_type("text/html")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the server response doesn't include the X-Content-Type-Options header, making the application vulnerable to MIME sniffing attacks.

Steps

  • Set the X-Content-Type-Options header in the server responses.
  • Set this header to nosniff to disable MIME type sniffing.

Compliant code

        defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    conn
    |> put_resp_content_type("text/html")
    |> put_resp_header("x-content-type-options", "nosniff")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the server response includes the X-Content-Type-Options header with a value of nosniff, preventing MIME type sniffing by the browser.

References