minhajuddin

minhajuddin

Gzip plug and plug contrib

Hi Guys,
I had to build a Gzip plug for one of my projects as I needed only a subset of pages to be Gzipped (https://hexdocs.pm/plug_contrib/PlugContrib.Gzip.html). I’d love to hear any ideas to add to this plug_contrib package. Rack has a nice list of Middlewares listed at https://github.com/rack/rack-contrib . Many of these are already present in Phoenix/Plug. I’d love to hear ideas on what people would like to have in this project. I’d love for this project to collect non core plugs which web apps may need from time to time :slight_smile:

Most Liked

josevalim

josevalim

Creator of Elixir

Btw, Cowboy also supports gzipping. You only need to pass compress: true to the server configuration (on Phoenix this means under the :http/:https keys in your configuration):

config :my_app, MyApp.Endpoint,
  http: [compress: true, ...],
  https: [compress: true, ...]

The Plug can still be handy in many situations, for example, if you cannot compress all routes, the Plug gives you flexibility where the Cowboy configuration cannot.

josevalim

josevalim

Creator of Elixir

Plug.CSRFProtection uses a masked token which does not make it vulnerable to breach (although you need to be careful to not introduce something similar).

minhajuddin

minhajuddin

Thanks, I did come across this. Like you said it compressed all the traffic. Our scenario required compression of just a subset of the routes :slight_smile:

nathanl

nathanl

Note that compression + SSL/TLS can open you to http://breachattack.com/. After some investigation, I think we’ll just do without gzip on our API responses, which are served over HTTPS. :frowning2:

nathanl

nathanl

I think we’re safe from BREACH after all and can use gzip + https.

Essentially, I think the vulnerability is this:

  • Assume an attacker can make their victim make requests to our site. The
    attacker cannot see inside the HTTPS responses, but can see their
    length.
  • The attacker makes the victim make repeated requests to an endpoint that
    returns both an unchanging secret value (like an API token) and a
    value that the attacker can change (eg, a search term that gets echoed
    in the response).
  • The attacker keeps tweaking the search term in successive requests.
    Because gzip works by de-duplication, the closer the attacker gets to
    guessing the API token, the smaller the response gets. Eventually, they
    can guess it exactly, and can then impersonate their victim to
    our site.

I think we’re safe because:

  • We don’t have any endpoints which return both and API token and
    some value sent in the request.
  • In any case, we never send the same API token twice because the value
    we send is timestamped and signed; we use Phoenix.Token.sign/3. This
    should make guesing the value as describe above impossible.

If anybody knows otherwise, please chime in. I’ve also asked about it on the Information Security Stackexchange.

Where Next?

Popular in Libraries Top

Crowdhailer
The latest release of Ace (0.10.0) includes serving content over HTTP/2. I have started writing a webserver to teach my self more about...
New
pkrawat1
Presenting Aviacommerce, open source e-commerce platform in Elixir Aviacommerce is an open source e-commerce platform in Elixir. We at...
New
jakub-zawislak
Hi everyone, I’m coming from the Symfony (PHP) framework. I like Phoenix, but it has a one thing that was build much better in the Symfo...
New
Qqwy
Solution is a library to help you with working with ok/error-tuples in case and with-expressions by exposing special matching macros, as ...
New
aditya7iyengar
Rummage.Ecto and Rummage.Phoenix provide ways to perform Searching, Sorting and Pagination over Ecto queries and Phoenix collections. Fo...
New
martinthenth
Hello everybody :wave: Recently, some of my colleagues talked about database ids and uuids and their problems, and I remembered the pain...
New
Qqwy
Hello everyone, I wrote a small library today called MapDiff. It returns a map listing the (smallest amount of) changes to get from map...
New
tmbb
I’ve decided to create this topic to discuss optimization possibilities for something like Phoenix LiveView. I’ve created this topic unde...
New
mischov
import Meeseeks.CSS html = HTTPoison.get!("https://news.ycombinator.com/").body for story <- Meeseeks.all(html, css("tr.athing")) do...
New
maltoe
Hello! Came here to announce ChromicPDF, a pet project PDF generator I’ve been working on for the past few months. Why another PDF gener...
New

Other popular topics Top

shahryarjb
Hello, I get Persian date from my client and convert it to normal calendar like this: def jalali_string_to_miladi_english_number(persi...
New
peerreynders
Manning 2016 Halloween weekend sale via Deal of the Day Friday, October 28 - Half off all MEAPs - code WM102816LT Saturday, October 29 ...
326 29600 154
New
dotdotdotPaul
Okay, I'm having a heck of a time trying to figure out how to best handle the validation of belongs_to associations in Ecto. I'm sure I'...
New
yawaramin
In the Dialyzer docs ( http://erlang.org/doc/man/dialyzer.html#requesting-or-suppressing-warnings-in-source-files ), there is a way to tu...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
AstonJ
We’ve put together this wiki for Phoenix LiveView - please feel free to add any info you feel is worth including. What is Phoenix LiveV...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New

Sub Categories:

We're in Beta

About us Mission Statement