Question: Need for a Health check plug?

[pdgonzalez872]

Hi @josevalim and team!

In pretty much all the big apps I've worked on had a/health (or similar) endpoint in the router. The implementations were somewhat different (different routes, standardization with other in house services, etc), but the concept was the same. Seems like there is even a lib that does it in the wild: https://hex.pm/packages/plug_health.

We have BasicAuth that started in the same way and then was added to Plug. Since all the implementations I've seen have been adhoc, I imagine that any standardization/nudge would be hard to get right even if it came from Plug. No action needed here, just wanted to discuss this in the open.

Thanks for your work as usual ❤️

[josevalim]

Hi @pdgonzalez872! My suggestion is to move this to the forum then, where more people can join. From my point of view, if there is a package for it, then the issue has been addressed. :) Similar to other essential features, such as CORS, templating, etc. which are all important and handled as part of the community.

[pdgonzalez872]

very fair! Thanks!

[josevalim]

I guess there is a question of why Plug.BasicAuth was added and I guess at the moment I don't have a good answer for, besides the fact it is security related, so we likely want to have a established practice.

At the same time, there are plugs today in Plug that in theory wouldn't need to be in Plug (I guess Plug.MethodOverride as an example), but they were added because they were needed early on as part of Plug development. At the same time, they are very small. While CORS and Health are usually more configurable and therefore more LOCs.

[pdgonzalez872]

@josevalim, I came across something that I believe is along the lines of "want to have established practices" -> CSP

Some folks eventually come across it after using Sobelow and I think it's not a topic folks either know much about (my case) or just don't discuss in the open that much. The docs in Sobelow's repo were added after a brief issue discussion in the issues back in 2020.

The best implementation of this I found in the wild was Bytepack's (thanks for making it open source ❤️):

• https://github.com/dashbitco/bytepack_archive/blob/79f8e62149d020f2afcc501592ed399f7ce7a60b/apps/bytepack_web/lib/bytepack_web/extensions/plug/csp_header.ex
• https://github.com/dashbitco/bytepack_archive/blob/79f8e62149d020f2afcc501592ed399f7ce7a60b/config/config.exs#L26-L35
• https://github.com/dashbitco/bytepack_archive/blob/79f8e62149d020f2afcc501592ed399f7ce7a60b/apps/bytepack_web/lib/bytepack_web/router.ex#L21-L22

GriffinMB mentioned this header is app specific in the original Sobelow issue. Even though I agree, it seems like there are great defaults/best practices in Bytepack implementation?

As you mentioned, it's great to have established best practices around security. I wanted to get your thoughts from your point of view. Is this a Plug like BasicAuth? Is this a blog post/ElixirForum post? Maybe some docs in the Phoenix guides?

I'd be glad to try to help in any way I can. Thank you, as usual :)