Need

Prevent website domain and path from being leaked to external services.

Context

• Usage of Elixir for building scalable and fault-tolerant applications
• Usage of Plug and Cowboy for HTTP request and response handling
• Improperly set Referrer-Policy HTTP header in the server

Description

Non compliant code

        defmodule VulnerableApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello world!")
  end
end
        
        

This code sets up a simple Plug router to handle HTTP requests, but it does not set the Referrer-Policy header, potentially allowing the website's domain and path to be leaked.

Steps

• Add the 'plug Plug.ReferrerPolicy, policy: :strict_origin' line to your router to set the Referrer-Policy header
• The :strict_origin policy option will only send the referrer to same-protocol security destinations.

Compliant code

        defmodule SecureApp do
  use Plug.Router

  plug Plug.ReferrerPolicy, policy: :strict_origin

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello world!")
  end
end
        
        

This code correctly sets the Referrer-Policy HTTP header to 'strict-origin', which ensures that the referrer will only be sent to same-protocol security destinations, thus preventing the website's domain and path from being leaked.

References

• 071. Insecure or unset HTTP headers - Referrer-Policy