Technical information leak - IPs

Need

To prevent exposure of internal technical information.

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Plug for building modular web applications
Usage of Cowboy as the HTTP server

Description

Non compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_header("X-Server-IP", "192.168.0.1")
    |> send_resp(200, "Welcome to MyApp!")
  end
end

This code is vulnerable because it sets a response header (X-Server-IP) with the internal IP address of the server (192.168.0.1). This exposes internal technical information that could be exploited by an attacker.

Steps

Remove any code that sets response headers with sensitive technical information.
Review your codebase and remove any other instances of sensitive information leaks.
Ensure your team is aware of the risk of exposing technical information.

Compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Welcome to MyApp!")
  end
end

In this secure code example, the response header setting the X-Server-IP has been removed. The application no longer exposes the server's internal IP address in its responses.

References

290.Technical information leak - IPs

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​