Insecure or unset HTTP headers

Insecure or unset HTTP headers - CORS

Need

To prevent the inclusion of resources from untrusted origins

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug, Cowboy, and CorsPlug for building a web server in Elixir

• Usage of CORS headers management for handling cross-origin resource sharing

Description

1. Non compliant code

defmodule Vulnerable do
  use Plug.Router
  plug CORSPlug, origin: "*"

  plug :match
  plug :dispatch

    send_resp(conn, 200, "OK")...

In this Elixir code snippet, the CORS policy is set to '*', allowing any domain to share resources.

2. Steps

• Remove the wildcard (*) from the CORS policy.

• Explicitly define the trusted origins for the application resources.

3. Secure code example

defmodule Secure do
  use Plug.Router
  plug CORSPlug, origin: "https://trusted.domain.com"

  plug :match
  plug :dispatch

    send_resp(conn, 200, "OK")...

In this Elixir code snippet, the CORS policy is explicitly set to a specific domain, preventing resource sharing with untrusted domains.

References

• 134. Insecure or unset HTTP headers - CORS

On this page