Technical information leak - Content response

Need

To prevent unauthorized disclosure of technical details which could be exploited for crafting new attack vectors.

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Plug package for handling requests and responses

Description

Non compliant code

defmodule MyAppWeb.MyController do
  use MyAppWeb, :controller

  def index(conn, _params) do
    conn
    |> put_resp_header("server", "Plug/1.12.0")
    |> send_resp(200, "Hello, world!")
  end
end

In the insecure code, the server includes a 'server' response header that reveals the version of the Plug package it's using. This information could be used by an attacker to find vulnerabilities in that specific version and exploit them.

Steps

Remove the code that adds the 'server' header with the version information.
Review the application to ensure it doesn't disclose any other technical details in its responses.

Compliant code

defmodule MyAppWeb.MyController do
  use MyAppWeb, :controller

  def index(conn, _params) do
    send_resp(conn, 200, "Hello, world!")
  end
end

In the secure code, the server doesn't include any headers that reveal technical details about its configuration. This makes it harder for an attacker to find and exploit vulnerabilities.

References

362.Technical information leak - Content response

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​