False positive with HTTPS check

[adamnbowen]

I might be wrong, but isn't the force_ssl configuration option sufficient to ensure the application is running over HTTPS? At least, that's what is present in the Heroku deployment section in the Phoenix documentation: https://hexdocs.pm/phoenix/heroku.html#making-our-project-ready-for-heroku.

Right now, Sobelow.Config.HTTPS just checks for the presence of :https in the config: https://github.com/nccgroup/sobelow/blob/master/lib/sobelow/config/https.ex#L22

[GriffinMB]

Thanks for raising an issue! So I think that the reason you only need force_ssl for Heroku is because Heroku is handling HTTPS rather than the Phoenix application. You'll get the same kind of false positive if you're using NGINX as a proxy and configuring HTTPS there.

That said, I agree that the presence of force_ssl should be a pretty good indicator that a proxy server is being used! I'll push an update in the next day or so :)

You've probably already figured it out, but in the meantime you can ignore the HTTPS check with:

mix sobelow -i Config.HTTPS.

[adamnbowen]

I figured there was no harm in adding the :https to the config as well, but good to know the option is there, thanks :)

[GriffinMB]

force_ssl is now used as an indicator that a proxy server is handling HTTPS. Thanks again for raising the issue, this should keep a lot of people from seeing a false positive here!