Use of an insecure channel - HTTP - Elixir
Need
To secure the transmission of sensitive data between client and server by using encryption.
Context
- Usage of Elixir (1.12.0 and above) with Phoenix Framework (1.5.7) for building web applications
- Usage of Phoenix configuration file for configuring the Phoenix framework
Description
Insecure Code Example
# In config/prod.exs
config :my_app, MyAppWeb.Endpoint,
http: [ip: {127, 0, 0, 1}, port: 80],
url: [scheme: "http", host: "example.com", port: 80]In this insecure code, the application is configured to communicate over HTTP (port 80) which is a non-encrypted, insecure communication protocol. This can expose sensitive data like user credentials to eavesdroppers.
Steps
- Switch from HTTP to HTTPS. This means you will have to get an SSL certificate for your domain.
- Update the server configuration in the Phoenix configuration file to use HTTPS instead of HTTP.
Secure Code Example
# In config/prod.exs
config :my_app, MyAppWeb.Endpoint,
https: [ip: {127, 0, 0, 1}, port: 443, keyfile: "priv/ssl/selfsigned.key", certfile: "priv/ssl/selfsigned.crt"],
url: [scheme: "https", host: "example.com", port: 443]In this secure code, the application is now configured to communicate over HTTPS (port 443) with the SSL certificate. This secures the transmission of sensitive data with encryption.
References
Last updated
2023/09/18