Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies - Elixir

Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies - Elixir

Need

To prevent harmful requests from Adobe Flash or PDF documents

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug Cowboy for building web applications in Elixir
Usage of X-Permitted-Cross-Domain-Policies header management

Description

Non compliant code

        defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    conn
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the application is lacking the X-Permitted-Cross-Domain-Policies header.

Steps

Unless the application requires Adobe products, set the X-Permitted-Cross-Domain-Policies to none in the server responses.

Compliant code

        defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    conn
    |> put_resp_header("x-permitted-cross-domain-policies", "none")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the application is setting the X-Permitted-Cross-Domain-Policies header to 'none'.

References

137. Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies