Insecure or unset HTTP headers - CORS
Need
To prevent the inclusion of resources from untrusted origins
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug, Cowboy, and CorsPlug for building a web server in Elixir
- Usage of CORS headers management for handling cross-origin resource sharing
Description
Non compliant code
defmodule Vulnerable do
use Plug.Router
plug CORSPlug, origin: "*"
plug :match
plug :dispatch
get "" do
send_resp(conn, 200, "OK")
end
match _ do
send_resp(conn, 404, "Not found")
end
end
In this Elixir code snippet, the CORS policy is set to '*', allowing any domain to share resources.
Steps
- Remove the wildcard (*) from the CORS policy.
- Explicitly define the trusted origins for the application resources.
Compliant code
defmodule Secure do
use Plug.Router
plug CORSPlug, origin: "https://trusted.domain.com"
plug :match
plug :dispatch
get "" do
send_resp(conn, 200, "OK")
end
match _ do
send_resp(conn, 404, "Not found")
end
end
In this Elixir code snippet, the CORS policy is explicitly set to a specific domain, preventing resource sharing with untrusted domains.