Insecure or unset HTTP headers - CORS

Need

To prevent the inclusion of resources from untrusted origins

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug, Cowboy, and CorsPlug for building a web server in Elixir
Usage of CORS headers management for handling cross-origin resource sharing

Description

Non compliant code

defmodule Vulnerable do
  use Plug.Router
  plug CORSPlug, origin: "*"

  plug :match
  plug :dispatch

  get "" do
    send_resp(conn, 200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the CORS policy is set to '*', allowing any domain to share resources.

Steps

Remove the wildcard (*) from the CORS policy.
Explicitly define the trusted origins for the application resources.

Compliant code

defmodule Secure do
  use Plug.Router
  plug CORSPlug, origin: "https://trusted.domain.com"

  plug :match
  plug :dispatch

  get "" do
    send_resp(conn, 200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the CORS policy is explicitly set to a specific domain, preventing resource sharing with untrusted domains.

References

134.Insecure or unset HTTP headers - CORS

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​