Current section

Files

Jump to
sobelow lib sobelow config headers.ex
Raw

lib/sobelow/config/headers.ex

defmodule Sobelow.Config.Headers do
@moduledoc """
# Missing Secure HTTP Headers
By default, Phoenix HTTP responses contain a number of
secure HTTP headers that attempt to mitigate XSS,
click-jacking, and content-sniffing attacks.
Missing Secure HTTP Headers is flagged by `sobelow` when
a pipeline accepts "html" requests, but does not implement
the `:put_secure_browser_headers` plug.
Secure Headers checks can be ignored with the following
command:
$ mix sobelow -i Config.Headers
"""
alias Sobelow.Utils
use Sobelow.Finding
def run(router, _) do
Utils.get_pipelines(router)
|> Enum.each(&is_vuln_pipeline/1)
end
defp is_vuln_pipeline(pipeline) do
if Utils.is_vuln_pipeline(pipeline, :headers) do
add_finding(pipeline)
end
end
defp add_finding({:pipeline, [line: line_no], [pipeline_name, _]} = pipeline) do
type = "Missing Secure Browser Headers"
case Sobelow.format() do
"json" ->
finding = [
type: type,
pipeline: "#{pipeline_name}:#{line_no}"
]
Sobelow.log_finding(finding, :high)
"txt" ->
Sobelow.log_finding(type, :high)
IO.puts IO.ANSI.red() <> type <> " - High Confidence" <> IO.ANSI.reset()
IO.puts "Pipeline: #{pipeline_name}:#{line_no}"
if Sobelow.get_env(:with_code), do: Utils.print_code(pipeline, pipeline_name)
IO.puts "\n-----------------------------------------------\n"
"compact" ->
Utils.log_compact_finding(type, :high)
_ ->
Sobelow.log_finding(type, :high)
end
end
end