HTTPS

Without HTTPS, attackers in a priveleged network position can intercept and modify traffic. The HTTP Strict Transport Security (HSTS) header helps defend against man-in-the-middle attacks by preventing unencrypted connections.

Sobelow detects missing HTTPS/HSTS by checking the prod configuration.

HTTPS/HSTS checks can be ignored with the following command:

$ mix sobelow -i Config.HTTPS