Insecure HTTP methods enabled

Need

To ensure that HTTP methods such as TRACE, PUT and DELETE are disabled to avoid potential security risks

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug Phoenix Framework for building web applications
Usage of the application as a web server for handling HTTP requests

Description

Non compliant code

defmodule VulnerableController do
  use MyApp.Web, :controller

  def update(conn, _params) do
    # update action
  end

  def delete(conn, _params) do
    # delete action
  end
end

The following Elixir code is vulnerable because it allows PUT and DELETE HTTP methods. This configuration can make the application susceptible to potential security threats.

Steps

Use Plug to limit the allowed HTTP methods in your application.
Remove or comment out any code that handles unwanted HTTP methods.

Compliant code

defmodule SecureController do
  use MyApp.Web, :controller

  def show(conn, _params) do
    # show action
  end

  def create(conn, _params) do
    # create action
  end

  # The PUT and DELETE methods are not handled
end

The following Elixir code is secure because it does not include handlers for PUT and DELETE HTTP methods. This prevents potential security threats associated with these methods.

References

044.Insecure HTTP methods enabled

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​