Insecure or Unset HTTP Headers - Content-Type - Elixir

Need

To prevent unexpected behaviors due to content type misinterpretations

Context

Usage of Elixir 1.12 for functional programming on the Erlang virtual machine
Usage of Phoenix Framework 1.6 for web development

Description

Non compliant code

        defmodule PageController do
  use MyApp.Web, :controller

  def index(conn, _params) do
    send_resp(conn, 200, "Hello, world!")
  end
end

In the insecure code example, the index function responds to a GET request but does not set the Content-Type header. This can lead to misinterpretation of the content type, which can cause unexpected behaviors in clients.

Steps

Always set the Content-Type header to explicitly define the content types allowed by the application
Use `put_resp_content_type` function provided by Phoenix framework to set the Content-Type header

Compliant code

        defmodule PageController do
  use MyApp.Web, :controller

  def index(conn, _params) do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello, world!")
  end
end

In the secure code, the index function sets the Content-Type header to text/plain. This informs the client about the type of content in the response, preventing misinterpretations.

References

329. Insecure or unset HTTP headers - Content-Type