Insecure or unset HTTP headers - Strict Transport Security

Need

To enforce the use of HTTPS to prevent confidential information from being sent over insecure channels

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug Cowboy for building web applications in Elixir

• Usage of HTTP headers management

Description

1. Non compliant code

defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    |> put_resp_content_type("text/html")...

In this Elixir code snippet, the server response doesn't include the Strict-Transport-Security header, making the application vulnerable to attacks such as MiTM.

2. Steps

• Set the Strict-Transport-Security header in the server responses.

• Set the max-age of this header to at least 31536000 (one year).

3. Secure code example

defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    |> put_resp_content_type("text/html")...

In this Elixir code snippet, the server response includes the Strict-Transport-Security header with a max-age of one year, ensuring that the browser only communicates with the server over HTTPS for the specified time.

References

• 131. Insecure or unset HTTP headers - Strict Transport Security

On this page