Insecure or unset HTTP headers - Strict Transport Security - Elixir

Insecure or unset HTTP headers - Strict Transport Security - Elixir

Need

To enforce the use of HTTPS to prevent confidential information from being sent over insecure channels

Context

  • Usage of Elixir for building scalable and fault-tolerant applications
  • Usage of Plug Cowboy for building web applications in Elixir
  • Usage of HTTP headers management

Description

Non compliant code

        defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    conn
    |> put_resp_content_type("text/html")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the server response doesn't include the Strict-Transport-Security header, making the application vulnerable to attacks such as MiTM.

Steps

  • Set the Strict-Transport-Security header in the server responses.
  • Set the max-age of this header to at least 31536000 (one year).

Compliant code

        defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    conn
    |> put_resp_content_type("text/html")
    |> put_resp_header("strict-transport-security", "max-age=31536000")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the server response includes the Strict-Transport-Security header with a max-age of one year, ensuring that the browser only communicates with the server over HTTPS for the specified time.

References