logo

Database

Technical Information Leak - Errors

Need

Prevent exposing technical information through server error messages.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications

• Usage of Phoenix Framework for building web applications (version 1.6.0 and above)

Description

1. Non compliant code

defmodule MyAppWeb.ErrorView do
  use MyAppWeb, :view

  def render("500.json", _assigns) do
    %{errors: %{detail: 'Internal server error'}}
  end
end

This code is insecure because it might reveal too much information in the error details when a server error (HTTP 500) occurs. Detailed error messages can potentially expose sensitive technical details about your system.

2. Steps

• Use generic error messages when responding to client requests, regardless of the type of error on the server.

• Handle exceptions at the application level and log the detailed error information server-side for debugging.

• Use a custom error handling plug to control what gets exposed in case of server errors.

3. Secure code example

defmodule MyAppWeb.ErrorView do
  use MyAppWeb, :view

  def render("500.json", _assigns) do
    %{errors: %{detail: 'An error occurred. We are working to fix it.'}}
  end
end

This code is secure because it uses a generic error message to indicate a server error, without revealing any technical details. The detailed error information is not exposed to the client, reducing the risk of information leaks.

On this page