Need

To secure the transmission of sensitive data between client and server by using encryption.

Context

• Usage of Elixir (1.12.0 and above) with Phoenix Framework (1.5.7) for building web applications
• Usage of Phoenix configuration file for configuring the Phoenix framework

Description

Non compliant code

        # In config/prod.exs
config :my_app, MyAppWeb.Endpoint,
  http: [ip: {127, 0, 0, 1}, port: 80],
  url: [scheme: "http", host: "example.com", port: 80]
        
        

In this insecure code, the application is configured to communicate over HTTP (port 80) which is a non-encrypted, insecure communication protocol. This can expose sensitive data like user credentials to eavesdroppers.

Steps

• Switch from HTTP to HTTPS. This means you will have to get an SSL certificate for your domain.
• Update the server configuration in the Phoenix configuration file to use HTTPS instead of HTTP.

Compliant code

        # In config/prod.exs
config :my_app, MyAppWeb.Endpoint,
  https: [ip: {127, 0, 0, 1}, port: 443, keyfile: "priv/ssl/selfsigned.key", certfile: "priv/ssl/selfsigned.crt"],
  url: [scheme: "https", host: "example.com", port: 443]
        
        

In this secure code, the application is now configured to communicate over HTTPS (port 443) with the SSL certificate. This secures the transmission of sensitive data with encryption.

References

• 372. Use of an insecure channel - HTTP