Fix security and favicon

Author: simonprev

.dockerignore

@@ -3,6 +3,7 @@ _build/
 assets/node_modules/
 deps/
 test/
+priv/plts
 priv/static/assets/
 
 .*

.gitignore

@@ -16,10 +16,8 @@ npm-debug.log
 /assets/node_modules
 
 # Ignore assets that are produced by build tools
-/priv/static/assets
-
-# Ignore digested assets cache.
-/priv/static/cache_manifest.json
+/priv/static/*
+!/priv/static/favicon.svg
 
 # Local environment variable files
 .env.local

Dockerfile

@@ -1,7 +1,15 @@
+ARG NODEJS_VERSION=22-bookworm-slim
+ARG ELIXIR_VERSION=1.18.1
+ARG OTP_VERSION=27.2
+ARG DEBIAN_VERSION=bookworm-20241223-slim
+
+ARG BUILDER_IMAGE="hexpm/elixir:${ELIXIR_VERSION}-erlang-${OTP_VERSION}-debian-${DEBIAN_VERSION}"
+ARG RUNNER_IMAGE="debian:${DEBIAN_VERSION}"
+
 # -----------------------------------------------
 # Stage: npm dependencies
 # -----------------------------------------------
-FROM node:20.5-bookworm-slim AS npm-builder
+FROM node:${NODEJS_VERSION} AS npm-builder
 
 # Install Debian dependencies
 RUN apt-get update -y && \
@@ -16,44 +24,51 @@ COPY assets assets
 RUN npm ci --prefix assets
 
 # -----------------------------------------------
-# Stage: hex dependencies
+# Stage: hex dependencies + OTP release
 # -----------------------------------------------
-FROM hexpm/elixir:1.15.5-erlang-26.0.2-debian-bookworm-20230612-slim AS otp-builder
+FROM ${BUILDER_IMAGE} AS hex-builder
 
-# Install Debian dependencies
+# install build dependencies
 RUN apt-get update -y && \
     apt-get install -y build-essential git && \
     apt-get clean && \
     rm -f /var/lib/apt/lists/*_*
 
+# prepare build dir
 WORKDIR /app
 
-# Install Erlang dependencies
-RUN mix local.rebar --force && \
-    mix local.hex --force
+ENV MIX_ENV=prod
+ENV ERL_FLAGS="+JPperf true"
+
+# install hex + rebar
+RUN mix local.hex --force && \
+    mix local.rebar --force
 
+# set build ENV
 ENV MIX_ENV="prod"
 
-# Install mix dependencies
+# install mix dependencies
 COPY mix.exs mix.lock ./
 RUN mix deps.get --only $MIX_ENV
 
-# Copy compile-time config files before we compile dependencies
+# copy compile-time config files before we compile dependencies
 # to ensure any relevant config change will trigger the dependencies
 # to be re-compiled.
 RUN mkdir config
 COPY config/config.exs config/${MIX_ENV}.exs config/
-
-# Compile mix dependencies
 RUN mix deps.compile
 
-# Compile assets
+# install Esbuild so it is cached
+RUN mix esbuild.install --if-missing
+
+COPY lib lib
 COPY --from=npm-builder /app/assets assets
 COPY priv priv
+
+# Compile assets
 RUN mix assets.deploy
 
-# Compile code
-COPY lib lib
+# Compile the release
 RUN mix compile
 
 # Changes to config/runtime.exs don't require recompiling the code
@@ -65,25 +80,27 @@ RUN mix release
 # -----------------------------------------------
 # Stage: Bundle release in a docker image
 # -----------------------------------------------
-FROM debian:bookworm-20230612-slim
+FROM ${RUNNER_IMAGE}
 
 RUN apt-get update -y && \
-    apt-get install -y libstdc++6 openssl libncurses5 locales && \
-    apt-get clean && \
-    rm -f /var/lib/apt/lists/*_*
+  apt-get install -y curl jq libstdc++6 openssl libncurses5 locales && \
+  apt-get clean && \
+  rm -f /var/lib/apt/lists/*_*
 
 # Set the locale
 RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
 
-ENV LANG en_US.UTF-8
-ENV LANGUAGE en_US:en
-ENV LC_ALL en_US.UTF-8
-
 WORKDIR "/app"
 RUN chown nobody /app
 
+# set runner ENV
+ENV LANG=en_US.UTF-8
+ENV LANGUAGE=en_US:en
+ENV LC_ALL=en_US.UTF-8
+ENV MIX_ENV="prod"
+
 # Only copy the final release from the build stage
-COPY --from=otp-builder --chown=nobody:root /app/_build/prod/rel/elixir_boilerplate ./
+COPY --from=hex-builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/elixir_boilerplate ./
 
 USER nobody
 

lib/elixir_boilerplate_web/endpoint.ex

@@ -24,7 +24,7 @@ defmodule ElixirBoilerplateWeb.Endpoint do
     at: "/",
     from: :elixir_boilerplate,
     gzip: true,
-    only: ~w(assets fonts images favicon.ico robots.txt)
+    only: ~w(assets fonts images favicon.svg robots.txt)
   )
 
   # Code reloading can be explicitly enabled under the

lib/elixir_boilerplate_web/home/live.ex

@@ -7,6 +7,7 @@ defmodule ElixirBoilerplateWeb.Home.Live do
   def mount(_, _, socket) do
     socket = assign(socket, :message, "Hello, world!")
     socket = assign(socket, :counter, 0)
+    socket = assign(socket, :page_title, "Home")
 
     {:ok, socket}
   end

lib/elixir_boilerplate_web/layouts/templates/root.html.heex

@@ -4,9 +4,13 @@
     <meta charset="utf-8" />
     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <Phoenix.Component.live_title>
+      <%= assigns[:page_title] || "ElixirBoilerplate" %>
+    </Phoenix.Component.live_title>
+    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
     <link rel="stylesheet" href={Routes.static_url(@conn, "/assets/app.css")} />
     <meta name="csrf-token" content={Plug.CSRFProtection.get_csrf_token()} />
-    <script type="text/javascript" src={Routes.static_url(@conn, "/assets/app.js")}></script>
+    <script defer type="text/javascript" src={Routes.static_url(@conn, "/assets/app.js")}></script>
   </head>
 
   <body>

lib/elixir_boilerplate_web/plugs/security.ex

@@ -41,7 +41,7 @@ defmodule ElixirBoilerplateWeb.Plugs.Security do
     if Application.get_env(:elixir_boilerplate, __MODULE__)[:allow_unsafe_scripts] do
       "'self' 'unsafe-eval' 'unsafe-inline'"
     else
-      "'self'"
+      "'self' 'unsafe-inline'"
     end
   end
 end

lib/elixir_boilerplate_web/router.ex

@@ -10,6 +10,7 @@ defmodule ElixirBoilerplateWeb.Router do
     plug(:fetch_session)
 
     plug(:protect_from_forgery)
+    plug(:put_secure_browser_headers)
     plug(:fetch_live_flash)
 
     plug(:put_layout, {ElixirBoilerplateWeb.Layouts, :app})