I’m learning Elixir and Phoenix now and really like it so far. However I started thinking of security.
What is the history of 0day-exploits for Phoenix (and Elixir) running on bandit or cowboy in production? Is it considered safe? Would it be a good/bad idea to introduce nginx as a reverse proxy? Any common pitfalls for a new developer where you can introduce weak points in your web-applications?
When searching on Google the only real thing I found was “:erlang.binary_to_term” which could be exploited. Is this something to worry about if you’re not using it explicitly in your code (but maybe the Phoenix framework uses it internally?).
I also found www.paraxial.io, which I guess is a paid service to find/prevent security issues in Elixir/Phoenix-applications. Maybe that could be a solution if you’re creating a commercial product, which I’m not doing at the moment.
Would it be a good/bad idea to introduce nginx as a reverse proxy?
It depends on your needs. From a security perspective you can do rate limiting at the Nginx layer or the Elixir app layer, I prefer in the Elixir app because it reduces complexity.
When searching on Google the only real thing I found was “:erlang.binary_to_term” which could be exploited. Is this something to worry about if you’re not using it explicitly in your code (but maybe the Phoenix framework uses it internally?).
I’ve checked the Phoenix framework for this, they use the safe version. I’ve pentested several Elixir apps and have not found an instance of it “in the wild” yet, so not very common.
I also found www.paraxial.io, which I guess is a paid service to find/prevent security issues in Elixir/Phoenix-applications. Maybe that could be a solution if you’re creating a commercial product, which I’m not doing at the moment.
Use the free tier! You get a limited number of scans per month, if your project is non-commercial you’re good to stay on the free tier. (I am the founder of Paraxial.io)