Insecure or unset HTTP headers - Accept - Elixir

Insecure or unset HTTP headers - Accept - Elixir

Need

To prevent unexpected behaviors due to content type misinterpretations

Context

  • Usage of Elixir (v1.12+) for building scalable and concurrent applications
  • Usage of Plug.Router for handling HTTP requests

Description

Non compliant code

        defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
    send_resp(conn, 200, "Hello, world!")
  end
end
        
        

The Elixir code does not set the Accept header or validate the Content-Type of the incoming requests. This could lead to unexpected behaviors when the application interprets incorrect content types.

Steps

  • Check the Content-Type of the incoming requests
  • Only allow the application/json content type
  • Respond with a 406 Not Acceptable status code if the Content-Type is different

Compliant code

        defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
    case get_req_header(conn, "content-type") do
      ["application/json"] -> send_resp(conn, 200, "Hello, world!")
      _ -> send_resp(conn, 406, "Not Acceptable")
    end
  end
end
        
        

The secure Elixir code checks the Content-Type of the incoming requests and only allows application/json. If the Content-Type is different, the application responds with a 406 Not Acceptable status code.

References