Technical Information Leak - Headers - Elixir

Technical Information Leak - Headers - Elixir

Need

Prevent exposing server details through HTTP response headers.

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Plug (1.12.0 and above) for building composable web applications in Elixir

Description

Non compliant code

        defmodule MyApp.Plug.RemoveSensitiveHeaders do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    conn
    |> put_resp_header("Server", "MyApp/1.0.0 (Elixir Plug/1.12.0)")
  end
end
        
        

This code is insecure because it sets the 'Server' response header with information about the application and the server technology, potentially exposing the system to targeted attacks.

Steps

  • Avoid setting headers that reveal sensitive details about the server or the technology stack.
  • Review your application's response headers to ensure that no sensitive information is being exposed.
  • Use a security-oriented middleware or plug that removes or obfuscates these headers.

Compliant code

        defmodule MyApp.Plug.RemoveSensitiveHeaders do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    conn
    |> put_resp_header("Server", "Secure Server")
  end
end
        
        

This code is secure because it doesn't reveal specific details about the application or the technology stack in the 'Server' header. Instead, it sets a generic value, reducing the risk of targeted attacks.

References