dokuzbir
How to secure a Phoenix app?
This week i focus to web security. I read blogposts watch videos . As far as i know ecto queries protect us from SQL injection, changesets filters forms, phoenix sanitizes user inputs to prevent XSS. In additon to these never fetch a file from a url param, sanitize inputs in frontends too, never hardcode api keys… Elixir community has alot experienced developers what are some your advices or resources to help me learn more?
Most Liked
realcorvus
Using Sobelow and mix_audit were already mentioned, both are great tools.
If your app takes URLs as user input, then does some HTTP request based on them, you should check for server side request forgery (SSRF) It can lead to very bad security incidents, for example it caused the Capitol One breach. There is an open source Elixir library, SafeURL, to help prevent it.
The EEF publishes secure coding and deployment hardening guidelines. Recently Podium released the Elixir Secure Coding Training as a series of LiveBooks as well.
In my experience, Phoenix discourages you from writing code with common web app vulnerabilities (SQL injection, XSS, CSRF). Security incidents still happen, often due to someone attacking the site with a bot:
- Performing thousands of automated login attempts, using a leaked credential database, to compromise user accounts. This is called credential stuffing, and can be mitigated with 2FA (see NibleTOTP from Dashbit), ensuring password are not being re-used with an Elixir library like ex_pwned, or bot detection.
- Uses a bot to automate new account creation, then attempts hundreds of purchases using stolen credit cards. The goal of the attacker is to figure out which cards work, it’s called a carding attack.
- If your app allows users to send emails through a form, for example a project management tool where you can invite people to a project with a brief message, spammers will use this function to send out scam emails. In addition to your users being upset about the spam, your backend email provider may ban your account over this.
Disclosure, I run Paraxial.io, which is a company that blocks attacks like this. Big companies have anti-bot products as well (Google reCaptcha, Cloudflare bot defense), however I would not recommend them.
There’s a number of open source Elixir libraries that can help as well:
-
PlugAttack, I wrote a blog post on it, great library.
I also publish some security related Phoenix posts on the Paraxial.io blog, for example Detecting SQL Injection in Phoenix with Sobelow. If you have questions about this stuff, but don’t want to reply here, feel free to dm me.
blatyo
A good resource is OWASP. Here’s a checklist of good coding practices:
AstonJ
Don’t forget to secure on a server level too, disable root login or use passwordless authentication, change SSH ports, block unused ports in your firewall, consider installing software like fail2ban/Denyhosts etc.
Usually your host will have tips/guides on how to do it for your OS, or they may even do a lot of it for you.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








