Insecure Network Communication

Why is this important?

Ensuring that the data in transit is secured between users and your application is the most fundamental security requirement. If this security control is not in place then all bets are off and attackers have many ways to attack your users.

Check out this video for a high-level explanation:

Fixing Insecure Network Communication

Option A: Use an encrypted communications channel

The communication channel used is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Please read the OWASP Transport Layer Protection Cheat Sheet for details on how to do this correctly.

• OWASP: Top 10 2010-A9-Insufficient Transport Layer Protection
• OWASP: Top 10 2013-A6-Sensitive Data Exposure
• OWASP: Transport Layer Protection Cheat Sheet
• WASC-04: Insufficient Transport Layer Protection
• CWE-319: Cleartext Transmission of Sensitive Information

Detailed Instructions

1. Go through the issues that GuardRails identified in the PR.
2. Look for code like this in your prod.exs configuration:

  config :exchat, Exchat.Endpoint,
    http: [port: {:system, "PORT"}],
    url: [host: "example.com", port: 80],
    cache_static_manifest: "priv/static/manifest.json",
    server: true                                 

3. Replace it with:

  config :exchat, Exchat.Endpoint,
    http: [port: {:system, "PORT"}],
    url: [scheme: "https", host: "path.to.app", port: 443],
    force_ssl: [rewrite_on: [:x_forwarded_proto]],
    cache_static_manifest: "priv/static/manifest.json",
    secret_key_base: System.get_env("SECRET_KEY_BASE")

More information on configuring HTTPS can be found here.

4. Test it
5. Ship it 🚢 and relax 🌴

General References

• OWASP Top 10 - A3-Sensitive Data Exposure
• Common Weakness Enumeration (CWE-295)
• Let's Encrypt - Free SSL/TLS Certificates
• WASC-04: Insufficient Transport Layer Protection
• CWE-295: Improper Certificate Validation