logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure or unset HTTP headers - CORS - Elixir

Need

To prevent the inclusion of resources from untrusted origins

Context

  1. Usage of Elixir for building scalable and fault-tolerant applications
  2. Usage of Plug, Cowboy, and CorsPlug for building a web server in Elixir
  3. Usage of CORS headers management for handling cross-origin resource sharing

Description

Insecure Code Example

defmodule Vulnerable do
  use Plug.Router
  plug CORSPlug, origin: "*"

  plug :match
  plug :dispatch

  get "" do
    send_resp(conn, 200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the CORS policy is set to '*', allowing any domain to share resources.

Steps

  1. Remove the wildcard (*) from the CORS policy.
  2. Explicitly define the trusted origins for the application resources.

Secure Code Example

defmodule Secure do
  use Plug.Router
  plug CORSPlug, origin: "https://trusted.domain.com"

  plug :match
  plug :dispatch

  get "" do
    send_resp(conn, 200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the CORS policy is explicitly set to a specific domain, preventing resource sharing with untrusted domains.

References

  • 134 - Insecure or unset HTTP headers - CORS

    • Last updated

    2023/09/18