security-essentials
Security Essentials
RULES — Follow these with no exceptions
- Never use
String.to_atom/1on user input — atoms are never garbage collected; user-controlled atoms exhaust the atom table and crash the BEAM VM - Never interpolate strings into
fragment()orSQL.query()— always use?parameters for fragments and$1for raw SQL - Never redirect to user-controlled URLs — validate against a whitelist or use verified routes (
~p"...") - Avoid
raw/1in templates — Phoenix auto-escapes for a reason; if HTML is required, sanitize first with a library like HtmlSanitizeEx - Never log sensitive data — passwords, tokens, secrets, API keys, and credentials must never appear in Logger calls
- Use
Plug.Crypto.secure_compare/2for token comparison — never==, which enables timing attacks - Run dependency audits after changes —
mix deps.audit,mix hex.audit, andmix sobelowcatch known vulnerabilities
Atom Table Exhaustion
The BEAM atom table has a fixed limit (default ~1M atoms) and is never garbage collected. If an attacker can create arbitrary atoms, they crash the entire VM.
Bad:
More from j-morgan6/elixir-phoenix-guide
oban-essentials
MANDATORY for ALL Oban work. Invoke before writing workers or enqueuing jobs.
1phoenix-json-api
MANDATORY for ALL JSON API work. Invoke before writing API controllers, pipelines, or JSON responses.
1ecto-essentials
MANDATORY for ALL database work. Invoke before modifying schemas, queries, or migrations.
1otp-essentials
MANDATORY for ALL OTP work. Invoke before writing GenServer, Supervisor, Task, or Agent modules.
1code-quality
Automated code quality detection — duplication, complexity, unused functions. Invoke when analyzing or refactoring Elixir code.
1phoenix-uploads
MANDATORY for file upload features. Invoke before implementing upload or file serving functionality.
1