Technical Information Leak

Technical Information Leak - Headers

Need

Prevent exposing server details through HTTP response headers.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications

• Usage of Plug (1.12.0 and above) for building composable web applications in Elixir

Description

1. Non compliant code

defmodule MyApp.Plug.RemoveSensitiveHeaders do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    conn
  end...

This code is insecure because it sets the 'Server' response header with information about the application and the server technology, potentially exposing the system to targeted attacks.

2. Steps

• Avoid setting headers that reveal sensitive details about the server or the technology stack.

• Review your application's response headers to ensure that no sensitive information is being exposed.

• Use a security-oriented middleware or plug that removes or obfuscates these headers.

3. Secure code example

defmodule MyApp.Plug.RemoveSensitiveHeaders do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    conn
  end...

This code is secure because it doesn't reveal specific details about the application or the technology stack in the 'Server' header. Instead, it sets a generic value, reducing the risk of targeted attacks.

References

• 235. Technical Information Leak - Headers

On this page