dokuzbir

dokuzbir

How to secure a Phoenix app?

This week i focus to web security. I read blogposts watch videos . As far as i know ecto queries protect us from SQL injection, changesets filters forms, phoenix sanitizes user inputs to prevent XSS. In additon to these never fetch a file from a url param, sanitize inputs in frontends too, never hardcode api keys… Elixir community has alot experienced developers what are some your advices or resources to help me learn more?

Most Liked

realcorvus

realcorvus

Using Sobelow and mix_audit were already mentioned, both are great tools.

If your app takes URLs as user input, then does some HTTP request based on them, you should check for server side request forgery (SSRF) It can lead to very bad security incidents, for example it caused the Capitol One breach. There is an open source Elixir library, SafeURL, to help prevent it.

The EEF publishes secure coding and deployment hardening guidelines. Recently Podium released the Elixir Secure Coding Training as a series of LiveBooks as well.

In my experience, Phoenix discourages you from writing code with common web app vulnerabilities (SQL injection, XSS, CSRF). Security incidents still happen, often due to someone attacking the site with a bot:

  • Performing thousands of automated login attempts, using a leaked credential database, to compromise user accounts. This is called credential stuffing, and can be mitigated with 2FA (see NibleTOTP from Dashbit), ensuring password are not being re-used with an Elixir library like ex_pwned, or bot detection.
  • Uses a bot to automate new account creation, then attempts hundreds of purchases using stolen credit cards. The goal of the attacker is to figure out which cards work, it’s called a carding attack.
  • If your app allows users to send emails through a form, for example a project management tool where you can invite people to a project with a brief message, spammers will use this function to send out scam emails. In addition to your users being upset about the spam, your backend email provider may ban your account over this.

Disclosure, I run Paraxial.io, which is a company that blocks attacks like this. Big companies have anti-bot products as well (Google reCaptcha, Cloudflare bot defense), however I would not recommend them.

There’s a number of open source Elixir libraries that can help as well:

I also publish some security related Phoenix posts on the Paraxial.io blog, for example Detecting SQL Injection in Phoenix with Sobelow. If you have questions about this stuff, but don’t want to reply here, feel free to dm me.

blatyo

blatyo

Conduit Core Team

A good resource is OWASP. Here’s a checklist of good coding practices:

AstonJ

AstonJ

Don’t forget to secure on a server level too, disable root login or use passwordless authentication, change SSH ports, block unused ports in your firewall, consider installing software like fail2ban/Denyhosts etc.

Usually your host will have tips/guides on how to do it for your OS, or they may even do a lot of it for you.

Where Next?

Popular in Questions Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
Kurisu
For example for a current url like http://localhost:4000/cosmetic/products?_utf8=✓&query=perfume&page=2, I would like to get: ...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
lucidguppy
I have a super simple question about elixir - how would I take a file like this foo bar baz and output a new file that enumerates th...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: The documentation above suggests that while ...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New

Other popular topics Top

marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52341 488
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New

We're in Beta

About us Mission Statement