GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Lack of Resources & Rate Limiting
in Plug

Executive Summary

In the Elixir ecosystem, the BEAM's lightweight processes can lead to a false sense of security. Without explicit rate limiting in your Plug pipeline, an attacker can trigger resource exhaustion (CWE-770) by flooding expensive endpoints, eventually choking the Ecto pool or memory. To mitigate this, we must intercept requests at the plug level and enforce quotas using a sliding window or token bucket algorithm.

The Vulnerable Pattern

VULNERABLE CODE
defmodule MyApp.Router do
  use Plug.Router
  plug :match
  plug :dispatch

VULNERABLE: No protection against automated flooding.


post “/api/v1/reset-password” do
email = conn.params[“email”]
MyApp.Auth.send_reset_email(email)
send_resp(conn, 200, “Check your inbox”)
end
end

The Secure Implementation

The vulnerable snippet allows an attacker to spam the password reset endpoint, potentially exhausting the mail server's quota or DB connections. The secure version implements 'Hammer', an Elixir library that tracks request counts in an ETS table or Redis. By placing the Hammer.Plug early in the pipeline, we drop requests exceeding the threshold (429 Too Many Requests) before they hit the expensive application logic, effectively neutralizing DoS vectors.

SECURE CODE
defmodule MyApp.Router do
  use Plug.Router

Use Hammer to provide rate limiting logic


Configured for 5 requests per 60 seconds per IP


plug Hammer.Plug, [
rate_limit: {5, 60_000},
by: :ip,
when: &MyApp.Router.is_auth_route/1
]


plug :match
plug :dispatch


def is_auth_route(conn), do: conn.path_info == [“api”, “v1”, “reset-password”]


post “/api/v1/reset-password” do
email = conn.params[“email”]
MyApp.Auth.send_reset_email(email)
send_resp(conn, 200, “Check your inbox”)
end
end

System Alert • ID: 5347
Target: Plug API
Potential Vulnerability

Your Plug API might be exposed to Lack of Resources & Rate Limiting

74% of Plug apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X