logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies - Elixir

Need

To prevent harmful requests from Adobe Flash or PDF documents

Context

  1. Usage of Elixir for building scalable and fault-tolerant applications
  2. Usage of Plug Cowboy for building web applications in Elixir
  3. Usage of X-Permitted-Cross-Domain-Policies header management

Description

Insecure Code Example

defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    conn
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the application is lacking the X-Permitted-Cross-Domain-Policies header.

Steps

  1. Unless the application requires Adobe products, set the X-Permitted-Cross-Domain-Policies to none in the server responses.

Secure Code Example

defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    conn
    |> put_resp_header("x-permitted-cross-domain-policies", "none")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the application is setting the X-Permitted-Cross-Domain-Policies header to 'none'.

References

  • 137 - Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies

    • Last updated

    2023/09/18