To protect sensitive information during transmission over a network.
defmodule MyAppWeb.Endpoint do
use Phoenix.Endpoint, otp_app: :my_app
socket "/socket", MyAppWeb.UserSocket,
websocket: true,
longpoll: false
plug Plug.Static,
at: "/",
from: :my_app,
gzip: false,
only: ~w(css fonts images js favicon.ico robots.txt)
plug Plug.RequestId
plug Plug.Telemetry, event_prefix: [:phoenix, :endpoint]
plug Plug.Parsers,
parsers: [:urlencoded, :multipart, :json],
pass: ["*/*"],
json_decoder: Phoenix.json_library()
plug Plug.MethodOverride
plug Plug.Head
plug Plug.Session, store: :cookie
plug MyAppWeb.Router
end
The code above configures an HTTP server with no encryption. Any data sent between the server and clients is vulnerable to interception. This can be exploited by an attacker to capture sensitive information and credentials in plain text, or intercept communication and steal or forge requests and responses.
defmodule MyAppWeb.Endpoint do
use Phoenix.Endpoint, otp_app: :my_app
socket "/socket", MyAppWeb.UserSocket,
websocket: true,
longpoll: false
plug Plug.Static,
at: "/",
from: :my_app,
gzip: false,
only: ~w(css fonts images js favicon.ico robots.txt)
plug Plug.RequestId
plug Plug.Telemetry, event_prefix: [:phoenix, :endpoint]
plug Plug.Parsers,
parsers: [:urlencoded, :multipart, :json],
pass: ["*/*"],
json_decoder: Phoenix.json_library()
plug Plug.MethodOverride
plug Plug.Head
plug Plug.Session, store: :cookie
plug Plug.ForceSSL
plug MyAppWeb.Router
end
The updated code now includes the 'Plug.ForceSSL' plug, which redirects all non-HTTPS requests to HTTPS, ensuring that all data is transmitted over an encrypted channel. This mitigates the risk of data interception and forgery.