ignore runtime config in hsts check

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework

Apache License 2.0

1.66k stars 92 forks source link

ignore runtime config in hsts check #166

Closed btmo closed 3 months ago

btmo commented 3 months ago

I was going through https://hexdocs.pm/phoenix/using_ssl.html to set up SSL for a Phoenix service. According to the documentation:

It is important to note that force_ssl: is a compile time config, so it normally is set in prod.exs, it will not work when set from runtime.exs.

Sobelow currently warns when runtime.exs contains https settings but no force_ssl. This PR suggests to ignore the runtime.exs file when checking HSTS.

houllette commented 3 months ago

Change makes total sense to me - thanks for the thorough PR!