Use of an insecure channel - HTTP

Need

To secure the transmission of sensitive data between client and server by using encryption.

Context

Usage of Elixir (1.12.0 and above) with Phoenix Framework (1.5.7) for building web applications
Usage of Phoenix configuration file for configuring the Phoenix framework

Description

Non compliant code

# In config/prod.exs
config :my_app, MyAppWeb.Endpoint,
  http: [ip: {127, 0, 0, 1}, port: 80],
  url: [scheme: "http", host: "example.com", port: 80]

In this insecure code, the application is configured to communicate over HTTP (port 80) which is a non-encrypted, insecure communication protocol. This can expose sensitive data like user credentials to eavesdroppers.

Steps

Switch from HTTP to HTTPS. This means you will have to get an SSL certificate for your domain.
Update the server configuration in the Phoenix configuration file to use HTTPS instead of HTTP.

Compliant code

# In config/prod.exs
config :my_app, MyAppWeb.Endpoint,
  https: [ip: {127, 0, 0, 1}, port: 443, keyfile: "priv/ssl/selfsigned.key", certfile: "priv/ssl/selfsigned.crt"],
  url: [scheme: "https", host: "example.com", port: 443]

In this secure code, the application is now configured to communicate over HTTPS (port 443) with the SSL certificate. This secures the transmission of sensitive data with encryption.

References

372.Use of an insecure channel - HTTP

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​