Current section

Files

Jump to
sobelow lib sobelow config https.ex
Raw

lib/sobelow/config/https.ex

defmodule Sobelow.Config.HTTPS do
@moduledoc """
# HTTPS
Without HTTPS, attackers in a priveleged network position can
intercept and modify traffic. The HTTP Strict Transport Security
(HSTS) header helps defend against man-in-the-middle attacks by
preventing unencrypted connections.
Sobelow detects missing HTTPS/HSTS by checking the prod
configuration.
HTTPS/HSTS checks can be ignored with the following command:
$ mix sobelow -i Config.HTTPS
"""
alias Sobelow.Config
alias Sobelow.Utils
use Sobelow.Finding
@prod_path "config/prod.exs"
def run(root) do
Config.get_configs_by_file(:https, root <> @prod_path)
|> handle_https(root <> @prod_path)
end
defp handle_https(opts, file) do
if length(opts) === 0 do
Sobelow.log_finding("HTTPS", :high)
print_finding(:https)
else
if length(Utils.get_configs(:force_ssl, file)) === 0 do
Sobelow.log_finding("HSTS", :high)
print_finding(:hsts)
end
end
end
defp print_finding(:https) do
IO.puts IO.ANSI.red() <> "HTTPS Not Enabled - High Confidence" <> IO.ANSI.reset()
if Sobelow.get_env(:with_code), do: print_info("HTTPS")
IO.puts "\n-----------------------------------------------\n"
end
defp print_finding(:hsts) do
IO.puts IO.ANSI.yellow() <> "HSTS Not Enabled - Medium Confidence" <> IO.ANSI.reset()
if Sobelow.get_env(:with_code), do: print_info("HSTS")
IO.puts "\n-----------------------------------------------\n"
end
defp print_info(type) do
IO.puts "\n#{type} configuration details could not be found in `prod.exs` or `prod.secret.exs`."
end
end