Insecure or unset HTTP headers - Strict Transport Security
Need
To enforce the use of HTTPS to prevent confidential information from being sent over insecure channels
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug Cowboy for building web applications in Elixir
- Usage of HTTP headers management
Description
Non compliant code
defmodule Vulnerable do
use Plug.Router
plug :match
plug :dispatch
get "" do
conn
|> put_resp_content_type("text/html")
|> send_resp(200, "OK")
end
match _ do
send_resp(conn, 404, "Not found")
end
end
In this Elixir code snippet, the server response doesn't include the Strict-Transport-Security header, making the application vulnerable to attacks such as MiTM.
Steps
- Set the Strict-Transport-Security header in the server responses.
- Set the max-age of this header to at least 31536000 (one year).
Compliant code
defmodule Secure do
use Plug.Router
plug :match
plug :dispatch
get "" do
conn
|> put_resp_content_type("text/html")
|> put_resp_header("strict-transport-security", "max-age=31536000")
|> send_resp(200, "OK")
end
match _ do
send_resp(conn, 404, "Not found")
end
end
In this Elixir code snippet, the server response includes the Strict-Transport-Security header with a max-age of one year, ensuring that the browser only communicates with the server over HTTPS for the specified time.