Insecure HTTP methods enabled

Need

To ensure that HTTP methods such as TRACE, PUT and DELETE are disabled to avoid potential security risks

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug Phoenix Framework for building web applications

• Usage of the application as a web server for handling HTTP requests

Description

1. Non compliant code

defmodule VulnerableController do
  use MyApp.Web, :controller

  def update(conn, _params) do
    # update action
  end

    # delete action...

The following Elixir code is vulnerable because it allows PUT and DELETE HTTP methods. This configuration can make the application susceptible to potential security threats.

2. Steps

• Use Plug to limit the allowed HTTP methods in your application.

• Remove or comment out any code that handles unwanted HTTP methods.

3. Secure code example

defmodule SecureController do
  use MyApp.Web, :controller

  def show(conn, _params) do
    # show action
  end

    # create action...

The following Elixir code is secure because it does not include handlers for PUT and DELETE HTTP methods. This prevents potential security threats associated with these methods.

References

• 044. Insecure HTTP methods enabled

On this page