Insecure or unset HTTP headers - Content-Type - TypeScript

Insecure or unset HTTP headers - Content-Type - TypeScript

Need

Ensure secure and properly set HTTP headers, including the Content-Type header, in server responses.

Context

  • Usage of TypeScript for static typing and enhanced developer experience in Node.js development
  • Usage of Express for building web applications and handling HTTP requests

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/api/data', (req, res) => {
  const data = {
    id: 1,
    name: 'John Doe',
    age: 25,
  };

  res.send(data);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is that it does not define the Content-Type header in the server response. By default, the res.send() method in Express sets the Content-Type header to text/html. However, in this code, the response is sending JSON data without explicitly setting the Content-Type header to application/json.

This can lead to unexpected behaviors and misinterpretations by the client or other components in the application that rely on the Content-Type header to determine the type of data being sent. For example, if a client expects JSON data but receives a response with a Content-Type of text/html, it may not be able to parse the response correctly.

To fix this vulnerability, the code should explicitly set the Content-Type header to application/json when sending JSON data in the response.

Steps

  • Import the 'helmet' package
  • Add the 'helmet' middleware to the Express app
  • Set the 'Content-Type' header in the server response

Compliant code

        import express from 'express';
import helmet from 'helmet';

const app = express();

app.use(helmet());

app.get('/api/data', (req, res) => {
  const data = {
    id: 1,
    name: 'John Doe',
    age: 25,
  };

  res.setHeader('Content-Type', 'application/json');
  res.send(data);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by explicitly setting the Content-Type header in the server response.

The code imports the necessary modules, including Express and Helmet, which is a middleware that helps secure the Express application.

The Express application is created and the Helmet middleware is added using the app.use() method. Helmet helps to set various security-related HTTP headers, including the Content-Type header.

A route is defined for the /api/data endpoint using the app.get() method. Inside the route handler, a data object is created with some sample data.

To fix the vulnerability, the res.setHeader() method is used to set the Content-Type header to application/json, indicating that the response will be in JSON format.

Finally, the response is sent using the res.send() method, which sends the data object as the response body.

By explicitly setting the Content-Type header to application/json, the fixed code ensures that the response will be interpreted correctly by the client, avoiding any unexpected behaviors due to content type misinterpretations.

References