Need

To prevent exposure of internal technical information.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Plug for building modular web applications
• Usage of Cowboy as the HTTP server

Description

Non compliant code

        defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_header("X-Server-IP", "192.168.0.1")
    |> send_resp(200, "Welcome to MyApp!")
  end
end
        
        

This code is vulnerable because it sets a response header ( X-Server-IP) with the internal IP address of the server ( 192.168.0.1). This exposes internal technical information that could be exploited by an attacker.

Steps

• Remove any code that sets response headers with sensitive technical information.
• Review your codebase and remove any other instances of sensitive information leaks.
• Ensure your team is aware of the risk of exposing technical information.

Compliant code

        defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Welcome to MyApp!")
  end
end
        
        

In this secure code example, the response header setting the X-Server-IP has been removed. The application no longer exposes the server's internal IP address in its responses.

References

• 290. Technical information leak - IPs