Use of insecure channel - Source code
Need
To protect sensitive information during transmission over a network.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and concurrent applications
- Usage of Cowboy HTTP server for handling HTTP requests
Description
Non compliant code
defmodule MyAppWeb.Endpoint do
use Phoenix.Endpoint, otp_app: :my_app
socket "/socket", MyAppWeb.UserSocket,
websocket: true,
longpoll: false
plug Plug.Static,
at: "/",
from: :my_app,
gzip: false,
only: ~w(css fonts images js favicon.ico robots.txt)
plug Plug.RequestId
plug Plug.Telemetry, event_prefix: [:phoenix, :endpoint]
plug Plug.Parsers,
parsers: [:urlencoded, :multipart, :json],
pass: ["*/*"],
json_decoder: Phoenix.json_library()
plug Plug.MethodOverride
plug Plug.Head
plug Plug.Session, store: :cookie
plug MyAppWeb.Router
end
The code above configures an HTTP server with no encryption. Any data sent between the server and clients is vulnerable to interception. This can be exploited by an attacker to capture sensitive information and credentials in plain text, or intercept communication and steal or forge requests and responses.
Steps
- Acquire a valid TLS certificate for your domain.
- Configure your server to use HTTPS with the TLS certificate.
- Redirect all HTTP requests to HTTPS.
Compliant code
defmodule MyAppWeb.Endpoint do
use Phoenix.Endpoint, otp_app: :my_app
socket "/socket", MyAppWeb.UserSocket,
websocket: true,
longpoll: false
plug Plug.Static,
at: "/",
from: :my_app,
gzip: false,
only: ~w(css fonts images js favicon.ico robots.txt)
plug Plug.RequestId
plug Plug.Telemetry, event_prefix: [:phoenix, :endpoint]
plug Plug.Parsers,
parsers: [:urlencoded, :multipart, :json],
pass: ["*/*"],
json_decoder: Phoenix.json_library()
plug Plug.MethodOverride
plug Plug.Head
plug Plug.Session, store: :cookie
plug Plug.ForceSSL
plug MyAppWeb.Router
end
The updated code now includes the 'Plug.ForceSSL' plug, which redirects all non-HTTPS requests to HTTPS, ensuring that all data is transmitted over an encrypted channel. This mitigates the risk of data interception and forgery.