From 3d90c26a7429ad2eff38eec0eae04728a1c77300 Mon Sep 17 00:00:00 2001 From: Enzo Date: Fri, 22 Aug 2025 08:54:55 +0200 Subject: [PATCH 1/2] Enable `:force_ssl` in `:prod` environment by default --- installer/templates/phx_single/config/prod.exs | 6 +++++- .../phx_umbrella/apps/app_name_web/config/prod.exs | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/installer/templates/phx_single/config/prod.exs b/installer/templates/phx_single/config/prod.exs index 5a6d5e0425..435def0df6 100644 --- a/installer/templates/phx_single/config/prod.exs +++ b/installer/templates/phx_single/config/prod.exs @@ -6,7 +6,11 @@ import Config # manifest is generated by the `mix assets.deploy` task, # which you should run after static files are built and # before starting your production server. -config :<%= @web_app_name %>, <%= @endpoint_module %>, cache_static_manifest: "priv/static/cache_manifest.json"<% end %><%= if @mailer do %> +config :<%= @web_app_name %>, <%= @endpoint_module %>, cache_static_manifest: "priv/static/cache_manifest.json" + +<% end %># Force using SSL in production. This also sets the "strict-security-transport" header, +# also known as HSTS. `:force_ssl` is required to be set at compile-time. +config :<%= @web_app_name %>, <%= @endpoint_module %>, force_ssl: [rewrite_on: [:x_forwarded_proto], host: nil]<%= if @mailer do %> # Configures Swoosh API Client config :swoosh, api_client: Swoosh.ApiClient.Req diff --git a/installer/templates/phx_umbrella/apps/app_name_web/config/prod.exs b/installer/templates/phx_umbrella/apps/app_name_web/config/prod.exs index 315068e974..84eb76bb77 100644 --- a/installer/templates/phx_umbrella/apps/app_name_web/config/prod.exs +++ b/installer/templates/phx_umbrella/apps/app_name_web/config/prod.exs @@ -8,3 +8,7 @@ import Config config :<%= @web_app_name %>, <%= @endpoint_module %>, url: [host: "example.com", port: 80], cache_static_manifest: "priv/static/cache_manifest.json" + +# Force using SSL in production. This also sets the "strict-security-transport" header, +# also known as HSTS. `:force_ssl` is required to be set at compile-time. +config :<%= @web_app_name %>, <%= @endpoint_module %>, force_ssl: [rewrite_on: [:x_forwarded_proto], host: nil] From f0423d8e393c6df248c7450a8dd5633be674a17a Mon Sep 17 00:00:00 2001 From: Enzo Date: Tue, 2 Sep 2025 10:31:17 +0200 Subject: [PATCH 2/2] Remove `host: nil` to avoid spoofing attacks --- installer/templates/phx_single/config/prod.exs | 2 +- .../templates/phx_umbrella/apps/app_name_web/config/prod.exs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/installer/templates/phx_single/config/prod.exs b/installer/templates/phx_single/config/prod.exs index 435def0df6..dad0e39125 100644 --- a/installer/templates/phx_single/config/prod.exs +++ b/installer/templates/phx_single/config/prod.exs @@ -10,7 +10,7 @@ config :<%= @web_app_name %>, <%= @endpoint_module %>, cache_static_manifest: "p <% end %># Force using SSL in production. This also sets the "strict-security-transport" header, # also known as HSTS. `:force_ssl` is required to be set at compile-time. -config :<%= @web_app_name %>, <%= @endpoint_module %>, force_ssl: [rewrite_on: [:x_forwarded_proto], host: nil]<%= if @mailer do %> +config :<%= @web_app_name %>, <%= @endpoint_module %>, force_ssl: [rewrite_on: [:x_forwarded_proto]]<%= if @mailer do %> # Configures Swoosh API Client config :swoosh, api_client: Swoosh.ApiClient.Req diff --git a/installer/templates/phx_umbrella/apps/app_name_web/config/prod.exs b/installer/templates/phx_umbrella/apps/app_name_web/config/prod.exs index 84eb76bb77..02139ea479 100644 --- a/installer/templates/phx_umbrella/apps/app_name_web/config/prod.exs +++ b/installer/templates/phx_umbrella/apps/app_name_web/config/prod.exs @@ -11,4 +11,4 @@ config :<%= @web_app_name %>, <%= @endpoint_module %>, # Force using SSL in production. This also sets the "strict-security-transport" header, # also known as HSTS. `:force_ssl` is required to be set at compile-time. -config :<%= @web_app_name %>, <%= @endpoint_module %>, force_ssl: [rewrite_on: [:x_forwarded_proto], host: nil] +config :<%= @web_app_name %>, <%= @endpoint_module %>, force_ssl: [rewrite_on: [:x_forwarded_proto]]