Enable :force_ssl in :prod environment by default

[Gladear]

This is a proposal to enable the :force_ssl option and HSTS by default on new installations.

HSTS is a standard nowadays, recommend for most, if not all, websites or webapps. However,
for I feel like it can be easy to miss if you are not really into web security - just like
CSP, so thanks for making it a default now ❤️

The given option may not be the best suited for a default installation. I basically
copy-pasted the "Using SSL" part of the documentation, making it as generic as possible.

[josevalim]

If i remember correct, the reason why this is disabled is because, if you run prod on your machine (which you may do the first time for testing) and then you access localhost+HSTS, it borks your localhost unless you go to specific settings in each browser and revert that. So your development environments breaks in very non obvious ways.

[Gladear]

When accessing the app through http://localhost:4000, there is no issue, :force_ssl does not apply headers on localhost.
When accessing it through http://127.0.0.1:4000, the UA is redirected to HTTPS and a "Your connection is not private" appears. The logs clearly state [info] Plug.SSL is redirecting GET / to https://127.0.0.1 with status 301.
Should you access it through a custom domain that you defined in /etc/hosts there would probably be an issue (I did not test), but I think people doing this are both pretty rare, and hopefully proficient enough to debug the problem 😄

[josevalim]

Good! And IIRC, the other concern is related to proxy headers. You are currently setting host: nil, which means we will use the same host as the request. However, if you are beyind a proxy, the host is likely localhost unless you rewrite it. We could add x_forwarded_host but then, if you are not behind a proxy (or at least one that uses a different header), then an attacker could inject a host and perform spoofing attacks. 😅

Another option is to not set host: nil but then it means we will fail to redirect subdomains, but that seems to be the only default that is safe.

[Gladear]

Indeed ! I removed host: nil. Although I can't know for sure, I suppose using multiple domains on a single Phoenix endpoint isn't a common use case.

[andrewtimberlake]

I suppose using multiple domains on a single Phoenix endpoint isn't a common use case.

I think it might be. I for one use it on a number of projects.
The :host option is part of scope/4 allowing you to match on the host in the router.

[josevalim]

To be clear, it means that accessing http://foo.example.com/path will redirect to https://example.com/path, until the proper rewrite_on is configured. The main host will always work. That seems an acceptable trade-off for the improved security and is better than host: nil which will redirect to localhost on all cases when not fully configured.

[Gladear]

Another option could be to add it as a comment, explain that it's a good practice to activate it, and link to the Force SSL section of the documentation so that people can configure it as they need it.