Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies

Need

To prevent harmful requests from Adobe Flash or PDF documents

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug Cowboy for building web applications in Elixir

• Usage of X-Permitted-Cross-Domain-Policies header management

Description

1. Non compliant code

defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    |> send_resp(200, "OK")...

In this Elixir code snippet, the application is lacking the X-Permitted-Cross-Domain-Policies header.

2. Steps

• Unless the application requires Adobe products, set the X-Permitted-Cross-Domain-Policies to none in the server responses.

3. Secure code example

defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  get "" do
    |> put_resp_header("x-permitted-cross-domain-policies", "none")...

In this Elixir code snippet, the application is setting the X-Permitted-Cross-Domain-Policies header to 'none'.

References

• 137. Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies

On this page