Contributions

Article
Sobelow version 0.12.1 was released recently, adding support for HEEx templates, which are used in Phoenix LiveView. Sobelow is a static analysis tool for finding security issues in Elixir and Phoenix code. If you’re using Elixir in production, running Sobelow is highly recommended, because it automatically checks for common security issues.
Article
Misconfiguration of the Phoenix router can lead to CSRF via a GET request to your controller action. Learn more in this article.
Article
Potion Shop is a Phoenix application vulnerable to common web security issues, such as RCE, XSS, and CSRF.
Event
Tuesday, March 21, 4pm EST join the founder of Paraxial.io, Michael Lubas, for a live webinar on secure coding in Elixir.
Article
Holden Oullette is the new maintainer of Sobelow, and is interested in security education for Elixir developers.
Article
Did you know that Elixir functions with an arity of 2 implement the Enumerable protocol? That :erlang.binary_to_term/2 is not always safe? Learn more in this new post!
Article
How to use the Hammer library to apply rate limiting to authentication routes in Phoenix.
Article
Paraxial.io is an application security platform created for Elixir. This post details the motivation for focusing the company on Elixir.
Event
Interested in Elixir and Phoenix security? Join the founder of Paraxial.io, Michael Lubas, for a live coding stream, “Preventing SQL Injection in Ecto”, Feb 15th.
Article
Dependencies in a software project are a frequent source of security concern. The ability to detect outdated packages, and update to the latest version without breaking the project, is necessary for modern teams. In Elixir, dependencies are hosted by the Hex package manager, and managed by the Mix build tool. To better understand the ecosystem, let’s examine the different components in detail.
Article
Paraxial.io can now scan your Elixir project for vulnerabilities, and records a detailed audit trail for your regulatory and compliance needs.
Article
In Elixir, unrestricted atom creation is a denial of service vector. Learn how to find and prevent this vulnerability in your Phoenix apps!
Article
With the rise of cloud computing, attackers now have access to a large pool of IPs at low cost. Learn how attackers are bypassing IP based rate limiting, and how Paraxial.io blocks this technique.
Article
This post covers how a CSRF attack works, and the defaults Phoenix gives you to discourage writing vulnerable code.

Article
There are a number of resources online related to Elixir and Phoenix security, however when it comes to securing your own project, determining where to begin is a difficult task. Here are five recommendations to get started improving the security of your application.
Article
Have you had to deal with XSS vulnerabilities in an Elixir application? Walk through four different examples of vulnerable code in this blog post.
Article
Learn how Ecto encourages you to write secure code, what a function vulnerable to SQL injection looks like, and how Sobelow prevents this vulnerabliity.
Article
A short blog post showing two ways to write a function, and why one style is better than the other.
Article
Learn how to crack a bank app using Elixir. This is a writeup for the remote attendee instance, if you played this in-person at ElixirConf the setup was different.
Article
In 1996 Google co-founder Larry Page posted in comp.lang.java, Q: Setting User-Agent Field?. 26 years later, you may still need to set the User-Agent in your project. Here are four examples from the Elixir HTTP clients Finch, HTTPoison, Req, and Tesla.
Article
Paraxial.io protects your Phoenix application from malicious bots. Similar products are reCaptcha and Cloudflare, neither of which are designed for Elixir.

Starting today, the Paraxial.io beta is open to new users, no invitation necessary. We have published a detailed guide that walks you through how to protect your Phoenix application with Paraxial, via a simple mix dependency.

https://hexdocs.pm/paraxial/getting_started.html
Article
Are you familiar with credential stuffing attacks? Maybe you have heard about the dangers of password reuse, and even implemented defenses in your own Elixir/Phoenix apps. Have you ever tested the defense?

In this post, learn how credential stuffing works by writing your own testing program in Elixir. If your Phoenix application stores sensitive data, this is an excellent project to see if your current controls are working.

https://paraxial.io/blog/credential-stuffing
Service
Are you currently dealing with bots disrupting your Elixir app?

The Paraxial.io beta is currently accepting new members, email [email protected] and someone will reply to you with more information. Thank you!
Tutorial
This blog post details:

1. How to retrieve lists of data center IP prefixes when a Phoenix application starts.
2. Using a radix tree to store IP prefixes for fast lookup.
3. Why Erlang’s persistent_term module is the best choice for this problem.
Service
Paraxial.io is bot detection and prevention for Elixir and Phoenix applications. If you are currently dealing with scrapers, credit card fraud, or credential stuffing, Paraxial.io is the best way to stop attackers and keep your users safe. Mention libhunt in your email to [email protected] for a 10% discount for the first three months!
Tutorial
A tutorial on how credential stuffing attacks can occur against a Phoenix application, and some strategies to mitigate them using PlugAttack. The post walks through:

- Setting up a victim application, named orru
- Using a basic script to perform automated logins, envy
- The throttle and fail2ban rules in PlugAttack, and some potential pitfalls you may run into when setting them up, and how to avoid them