GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Improper Assets Management
in Phoenix

Executive Summary

Improper Assets Management in Phoenix typically manifests as 'Shadow APIs' or leaked static artifacts. Attackers hunt for legacy routes, undocumented internal endpoints, or sensitive files (like .env or build maps) served via Plug.Static. If your production router still exposes debug tools or your asset pipeline doesn't strictly whitelist public files, you are providing a roadmap for exploitation.

The Vulnerable Pattern

VULNERABLE CODE
defmodule MyAppWeb.Router do
  use MyAppWeb, :router

pipeline :browser do
plug :accepts, [“html”]
end


scope ”/”, MyAppWeb do
pipe_through :browser
get ”/”, PageController, :index
# VULNERABILITY: Legacy debug endpoint left active in production
get “/dev/info”, DebugController, :env_dump
end
end


lib/my_app_web/endpoint.ex


plug Plug.Static,
at: ”/”,
from: :my_app,


VULNERABILITY: Broad matching might serve sensitive files if placed in priv/static


only: ~w(css fonts images js favicon.ico robots.txt)

The Secure Implementation

To fix asset management, you must enforce a strict inventory of routes and files. 1. Use 'mix phx.routes' to audit all active endpoints and remove legacy or 'shadow' controllers. 2. Wrap internal/debug tools in 'if Mix.env() == :dev' blocks to prevent compilation into production. 3. Configure Plug.Static with a restrictive whitelist (static_paths) to ensure that only intended public assets are reachable, preventing directory traversal or accidental exposure of build artifacts/config files in 'priv/static'.

SECURE CODE
defmodule MyAppWeb.Router do
  use MyAppWeb, :router

pipeline :admin_auth do
plug :ensure_authenticated_admin # Custom plug for MFA/Auth
end


scope ”/”, MyAppWeb do
pipe_through :browser
get ”/”, PageController, :index
end


SECURE: Internal tools scoped and protected


if Mix.env() == :dev do
scope “/dev” do
pipe_through :browser
forward “/mailbox”, Plug.Swoosh.MailboxPreview
end
end
end


lib/my_app_web/static_paths.ex


defmodule MyAppWeb.StaticPaths do


SECURE: Explicit whitelist of allowed asset directories


def static_paths, do: ~w(assets fonts images favicon.ico robots.txt)
end

System Alert • ID: 9315
Target: Phoenix API
Potential Vulnerability

Your Phoenix API might be exposed to Improper Assets Management

74% of Phoenix apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X