Technical Information Leak - Headers - Elixir

Need

Prevent exposing server details through HTTP response headers.

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Plug (1.12.0 and above) for building composable web applications in Elixir

Description

Insecure Code Example

defmodule MyApp.Plug.RemoveSensitiveHeaders do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    conn
    |> put_resp_header("Server", "MyApp/1.0.0 (Elixir Plug/1.12.0)")
  end
end

This code is insecure because it sets the 'Server' response header with information about the application and the server technology, potentially exposing the system to targeted attacks.

Steps

Avoid setting headers that reveal sensitive details about the server or the technology stack.
Review your application's response headers to ensure that no sensitive information is being exposed.
Use a security-oriented middleware or plug that removes or obfuscates these headers.

Secure Code Example

defmodule MyApp.Plug.RemoveSensitiveHeaders do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    conn
    |> put_resp_header("Server", "Secure Server")
  end
end

This code is secure because it doesn't reveal specific details about the application or the technology stack in the 'Server' header. Instead, it sets a generic value, reducing the risk of targeted attacks.

References

235 - Technical Information Leak - Headers

Last updated

2023/09/18