Insecure or unset HTTP headers - Referrer-Policy - Elixir

Need

Prevent website domain and path from being leaked to external services.

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Plug and Cowboy for HTTP request and response handling
3. Improperly set Referrer-Policy HTTP header in the server

Description

Insecure Code Example

defmodule VulnerableApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello world!")
  end
end

This code sets up a simple Plug router to handle HTTP requests, but it does not set the Referrer-Policy header, potentially allowing the website's domain and path to be leaked.

Steps

1. Add the 'plug Plug.ReferrerPolicy, policy: :strict_origin' line to your router to set the Referrer-Policy header
2. The :strict_origin policy option will only send the referrer to same-protocol security destinations.

Secure Code Example

defmodule SecureApp do
  use Plug.Router

  plug Plug.ReferrerPolicy, policy: :strict_origin

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello world!")
  end
end

This code correctly sets the Referrer-Policy HTTP header to 'strict-origin', which ensures that the referrer will only be sent to same-protocol security destinations, thus preventing the website's domain and path from being leaked.

References

Last updated

2023/09/18