Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
Need
To prevent harmful requests from Adobe Flash or PDF documents
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug Cowboy for building web applications in Elixir
- Usage of X-Permitted-Cross-Domain-Policies header management
Description
Non compliant code
defmodule Vulnerable do
use Plug.Router
plug :match
plug :dispatch
get "" do
conn
|> send_resp(200, "OK")
end
match _ do
send_resp(conn, 404, "Not found")
end
end
In this Elixir code snippet, the application is lacking the X-Permitted-Cross-Domain-Policies header.
Steps
- Unless the application requires Adobe products, set the X-Permitted-Cross-Domain-Policies to none in the server responses.
Compliant code
defmodule Secure do
use Plug.Router
plug :match
plug :dispatch
get "" do
conn
|> put_resp_header("x-permitted-cross-domain-policies", "none")
|> send_resp(200, "OK")
end
match _ do
send_resp(conn, 404, "Not found")
end
end
In this Elixir code snippet, the application is setting the X-Permitted-Cross-Domain-Policies header to 'none'.