Web Application Security Best Practices for BEAM languages

This document describes best practices for secure development of web applications using BEAM languages, written by the Erlang Ecosystem Foundation’s Security Working Group.

The working group also publishes Secure Coding and Deployment Hardening Guidelines, for Elixir and Erlang applications. This document focuses on web applications, while the previous document covers the Elixir and Erlang language runtimes and standard library.

To report mistakes or suggest additional content, please open an issue or create a pull request in the GitHub repository.

Contents

• Common Web Application Vulnerabilities
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Cross-Site WebSocket Hijacking (CSWSH)
  • SQL Injection
  • Denial of Service (DoS)
  • Client-side enforcement of server-side security
• Session Management Vulnerabilities
  • No server-side session revocation
  • No server-side session timeout
  • Session leakage (session hijacking)
  • Session fixation
  • Session information leakage
  • Session lifecycle and WebSocket connections
• TLS Vulnerabilities
  • Insufficient peer certificate verification
  • Weak TLS versions, ciphers and other options
  • Misconfigured TLS offload
  • Downgrade attacks
• Information Leakage
  • Elixir and Erlang standard library
  • Parameter filter in Phoenix logger
  • Phoenix socket messages
  • Redacting fields in Ecto schemas
• Supply Chain Vulnerabilities
  • Outdated dependencies
  • Retired dependencies
  • Dependencies with known vulnerabilities
  • Insufficient due-diligence when adding 3rd party components
  • Insufficient visibility into 3rd party components

Next: Common Web Application Vulnerabilities »