Insecure or unset HTTP headers - X-XSS Protection - Elixir

Insecure or unset HTTP headers - X-XSS Protection - Elixir

Need

To prevent the increase in the chance of exploiting a stored XSS

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug Cowboy for building web applications in Elixir
Usage of X-XSS Protection header management for preventing cross-site scripting attacks

Description

Non compliant code

        defmodule Vulnerable do
  use Plug.Router
  plug :put_secure_browser_headers

  plug :match
  plug :dispatch

  get "" do
    conn
    |> put_resp_header("x-xss-protection", "1; mode=block")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the application is using the deprecated X-XSS Protection header.

Steps

Disable the X-XSS Protection filter in the server responses.
Instead, define security policies using CSP (Content Security Policy) header.

Compliant code

        defmodule Secure do
  use Plug.Router
  plug :put_secure_browser_headers

  plug :match
  plug :dispatch

  get "" do
    conn
    |> put_resp_header("content-security-policy", "default-src 'self'")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the application is using CSP (Content Security Policy) header instead of the deprecated X-XSS Protection header.

References

135. Insecure or unset HTTP headers - X-XSS Protection