Prevent unauthorized listing of directory contents that could reveal sensitive information or application structure.
plug Plug.Static,
at: "/",
from: :app,
gzip: false,
only: ~w(css fonts images js favicon.ico robots.txt)
This configuration in the endpoint.ex file serves static assets from the root directory and its subdirectories. If the server is incorrectly configured or if an index file is not present, it allows anyone to list all files in these directories.
plug Plug.Static,
at: "/",
from: :app,
gzip: false,
index: 'index.html',
only: ~w(css fonts images js favicon.ico robots.txt)
The 'index' option is added to the configuration. This enforces the 'index.html' file to be served when a directory is accessed. Thus, the content of the directory is not listed and the vulnerability is mitigated.