Technical Information Leak - Headers
Need
Prevent exposing server details through HTTP response headers.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Plug (1.12.0 and above) for building composable web applications in Elixir
Description
Non compliant code
defmodule MyApp.Plug.RemoveSensitiveHeaders do
import Plug.Conn
def init(opts), do: opts
def call(conn, _opts) do
conn
|> put_resp_header("Server", "MyApp/1.0.0 (Elixir Plug/1.12.0)")
end
end
This code is insecure because it sets the 'Server' response header with information about the application and the server technology, potentially exposing the system to targeted attacks.
Steps
- Avoid setting headers that reveal sensitive details about the server or the technology stack.
- Review your application's response headers to ensure that no sensitive information is being exposed.
- Use a security-oriented middleware or plug that removes or obfuscates these headers.
Compliant code
defmodule MyApp.Plug.RemoveSensitiveHeaders do
import Plug.Conn
def init(opts), do: opts
def call(conn, _opts) do
conn
|> put_resp_header("Server", "Secure Server")
end
end
This code is secure because it doesn't reveal specific details about the application or the technology stack in the 'Server' header. Instead, it sets a generic value, reducing the risk of targeted attacks.