How to secure a Phoenix app?

This week i focus to web security. I read blogposts watch videos . As far as i know ecto queries protect us from SQL injection, changesets filters forms, phoenix sanitizes user inputs to prevent XSS. In additon to these never fetch a file from a url param, sanitize inputs in frontends too, never hardcode api keys… Elixir community has alot experienced developers what are some your advices or resources to help me learn more?

1 Like

See Securing Rails Application. I know it’s neither Elixir nor Phoenix, but the basic ideas about security are the same. You just need to implement these ideas with Elixir/Plug/Phoenix if they are not implemented by default.

3 Likes

Make sure you don’t log sensitive things like passwords or PII. I added opt in logging for query parameters to Phoenix a while ago, where you have to be explicit about which things you allow to be logged.

config :phoenix, :filter_parameters, {:keep, ["id", "order"]}
3 Likes

Also don’t forget…

:023:

4 Likes

@aethereus rails guide is good thanks
@blatyo I never thought about logs, really important thing.
@AstonJ @griffinbyatt having a elixir library is really nice.

2 Likes

“Secure” distribution

If your app is distributed over multiple machines, make sure the nodes communicate over a secure channel like vpn (almost every cloud provider supports some sort of private networking) or tls [1, 2] (if you use several cloud providers for your app and it needs to keep a shared state).

[1] http://erlang.org/doc/apps/ssl/ssl_distribution.html
[2] https://www.erlang-solutions.com/blog/erlang-distribution-over-tls.html

DDoS attack mitigation

or at least an attempt at

Check out [3] and [4]. Or, if you use haproxy (usually a good idea), maybe look into [5]. You can also use haproxy to terminate tls connections, since it would probably do a better job at it than erlang.

Note #1: if you do end up using haproxy for tls termination and/or load balancing, the general advice seems to be to pick a machine with a small number of high frequency cores [6].

Note #2: erlang, and by extension cowboy, are not particularly well suited for serving static assets, especially over tls on linux (freebsd seems to have some support for sendfile over tls [7]), so maybe pick nginx or h2o [8] for it.

[3] https://github.com/michalmuskala/plug_attack
[4] https://news.ycombinator.com/item?id=17061281
[5] https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
[6] https://cbonte.github.io/haproxy-dconv/1.8/intro.html#3.5
[7] https://people.freebsd.org/~rrs/asiabsd_2015_tls.pdf
[8] https://h2o.examp1e.net/

“Secure” configs

Some cloud providers have tools like azure key vault [9]. But you can also host hashisorp vault [10] yourself. These are good for storing sensitive configuration information like database credentials and the like.

[9] https://azure.microsoft.com/en-us/services/key-vault/
[10] https://www.vaultproject.io/

5 Likes

A good resource is OWASP. Here’s a checklist of good coding practices:

https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_Checklist

7 Likes

In addition to the application, there is a lot that you can do to add security when deploying it: https://www.cogini.com/blog/improving-app-security-with-the-principle-of-least-privilege/

Phoenix’s ability to proxy connections efficiently allows some very interesting architectures for better security: https://www.cogini.com/blog/secure-web-applications-with-graphql-and-elixir/

5 Likes