Insecure or unset HTTP headers - Content-Type - Go

Insecure or unset HTTP headers - Content-Type - Go

Need

Enforcement of secure and appropriate Content-Type headers in server responses

Context

  • Usage of Go 1.16 for building high-performance and concurrent applications
  • Usage of gin-gonic/gin for building web applications and APIs in Go

Description

Non compliant code

        package main

import (
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()

	r.GET("/example", func(c *gin.Context) {
		c.String(200, "OK")
	})

	r.Run()
}
        
        

In this code snippet, we are using the Gin web framework to create a simple HTTP server in Go. The server has one route, /example, which responds with a status code of 200 and a body of "OK".

The vulnerability lies in the fact that this response does not specify a Content-Type header. This can lead to security issues such as MIME-type confusion, which can be exploited by attackers to execute arbitrary code in the context of the web page.

The Content-Type header tells the client what the content type of the returned content actually is. Browsers use this information to process the content accordingly. If the Content-Type header is not set, browsers will try to interpret the content on their own, which can lead to unexpected results.

For example, a browser might interpret the content as HTML even though it's actually plain text. This can lead to cross-site scripting (XSS) attacks if the content includes user input.

In this case, since we're returning a plain text string, the Content-Type should be set to text/plain.

Steps

  • Set the Content-Type header in the server responses.
  • Choose an appropriate Content-Type value based on the type of data being returned (e.g., application/json for JSON data, text/html for HTML data, etc.).
  • Use the SetHeader method in the gin.Context object to set the Content-Type header.
  • Ensure that the Content-Type header is set before sending the response to the client.
  • Test the application to verify that the Content-Type header is correctly set in the server responses.

Compliant code

        package main

import (
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()

	r.GET("/example", func(c *gin.Context) {
		c.Header("Content-Type", "text/plain; charset=utf-8")
		c.String(200, "OK")
	})

	r.Run()
}
        
        

The updated code now includes a call to the Header method of the gin.Context object, which is used to set the Content-Type header in the server response. The Content-Type is set to text/plain; charset=utf-8 because the server is returning a plain text response.

This change ensures that the Content-Type header is always set in the server responses, which can help prevent certain types of security vulnerabilities related to the handling of server responses.

For example, if the Content-Type header is not set, a client might interpret the response body incorrectly, potentially leading to issues such as cross-site scripting (XSS) attacks. By explicitly setting the Content-Type header, we can help ensure that the response body is interpreted correctly by the client.

After making this change, you should test your application to verify that the Content-Type header is correctly set in the server responses. You can do this by sending a request to the server and checking the headers in the server response.

References