Insecure HTTP methods enabled
Need
To ensure that HTTP methods such as TRACE, PUT and DELETE are disabled to avoid potential security risks
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug Phoenix Framework for building web applications
- Usage of the application as a web server for handling HTTP requests
Description
Non compliant code
defmodule VulnerableController do
use MyApp.Web, :controller
def update(conn, _params) do
# update action
end
def delete(conn, _params) do
# delete action
end
end
The following Elixir code is vulnerable because it allows PUT and DELETE HTTP methods. This configuration can make the application susceptible to potential security threats.
Steps
- Use Plug to limit the allowed HTTP methods in your application.
- Remove or comment out any code that handles unwanted HTTP methods.
Compliant code
defmodule SecureController do
use MyApp.Web, :controller
def show(conn, _params) do
# show action
end
def create(conn, _params) do
# create action
end
# The PUT and DELETE methods are not handled
end
The following Elixir code is secure because it does not include handlers for PUT and DELETE HTTP methods. This prevents potential security threats associated with these methods.