Insecure or unset HTTP headers - CORS - Elixir

Insecure or unset HTTP headers - CORS - Elixir

Need

To prevent the inclusion of resources from untrusted origins

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug, Cowboy, and CorsPlug for building a web server in Elixir
Usage of CORS headers management for handling cross-origin resource sharing

Description

Non compliant code

        defmodule Vulnerable do
  use Plug.Router
  plug CORSPlug, origin: "*"

  plug :match
  plug :dispatch

  get "" do
    send_resp(conn, 200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the CORS policy is set to '*', allowing any domain to share resources.

Steps

Remove the wildcard (*) from the CORS policy.
Explicitly define the trusted origins for the application resources.

Compliant code

        defmodule Secure do
  use Plug.Router
  plug CORSPlug, origin: "https://trusted.domain.com"

  plug :match
  plug :dispatch

  get "" do
    send_resp(conn, 200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the CORS policy is explicitly set to a specific domain, preventing resource sharing with untrusted domains.

References

134. Insecure or unset HTTP headers - CORS