How to secure a Phoenix app?

This week i focus to web security. I read blogposts watch videos . As far as i know ecto queries protect us from SQL injection, changesets filters forms, phoenix sanitizes user inputs to prevent XSS. In additon to these never fetch a file from a url param, sanitize inputs in frontends too, never hardcode api keys… Elixir community has alot experienced developers what are some your advices or resources to help me learn more?

1 Like

See Securing Rails Application. I know it’s neither Elixir nor Phoenix, but the basic ideas about security are the same. You just need to implement these ideas with Elixir/Plug/Phoenix if they are not implemented by default.


Make sure you don’t log sensitive things like passwords or PII. I added opt in logging for query parameters to Phoenix a while ago, where you have to be explicit about which things you allow to be logged.

config :phoenix, :filter_parameters, {:keep, ["id", "order"]}

Also don’t forget…



@aethereus rails guide is good thanks
@blatyo I never thought about logs, really important thing.
@AstonJ @griffinbyatt having a elixir library is really nice.


“Secure” distribution

If your app is distributed over multiple machines, make sure the nodes communicate over a secure channel like vpn (almost every cloud provider supports some sort of private networking) or tls [1, 2] (if you use several cloud providers for your app and it needs to keep a shared state).


DDoS attack mitigation

or at least an attempt at

Check out [3] and [4]. Or, if you use haproxy (usually a good idea), maybe look into [5]. You can also use haproxy to terminate tls connections, since it would probably do a better job at it than erlang.

Note #1: if you do end up using haproxy for tls termination and/or load balancing, the general advice seems to be to pick a machine with a small number of high frequency cores [6].

Note #2: erlang, and by extension cowboy, are not particularly well suited for serving static assets, especially over tls on linux (freebsd seems to have some support for sendfile over tls [7]), so maybe pick nginx or h2o [8] for it.


“Secure” configs

Some cloud providers have tools like azure key vault [9]. But you can also host hashisorp vault [10] yourself. These are good for storing sensitive configuration information like database credentials and the like.



A good resource is OWASP. Here’s a checklist of good coding practices:


In addition to the application, there is a lot that you can do to add security when deploying it:

Phoenix’s ability to proxy connections efficiently allows some very interesting architectures for better security: