Enable :force_ssl in :prod environment by default (#6435)

* Enable `:force_ssl` in `:prod` environment by default

* Remove `host: nil` to avoid spoofing attacks

Author: Gladear

installer/templates/phx_single/config/prod.exs

@@ -6,7 +6,11 @@ import Config
 # manifest is generated by the `mix assets.deploy` task,
 # which you should run after static files are built and
 # before starting your production server.
-config :<%= @web_app_name %>, <%= @endpoint_module %>, cache_static_manifest: "priv/static/cache_manifest.json"<% end %><%= if @mailer do %>
+config :<%= @web_app_name %>, <%= @endpoint_module %>, cache_static_manifest: "priv/static/cache_manifest.json"
+
+<% end %># Force using SSL in production. This also sets the "strict-security-transport" header,
+# also known as HSTS. `:force_ssl` is required to be set at compile-time.
+config :<%= @web_app_name %>, <%= @endpoint_module %>, force_ssl: [rewrite_on: [:x_forwarded_proto]]<%= if @mailer do %>
 
 # Configure Swoosh API Client
 config :swoosh, api_client: Swoosh.ApiClient.Req

installer/templates/phx_umbrella/apps/app_name_web/config/prod.exs

@@ -8,3 +8,7 @@ import Config
 config :<%= @web_app_name %>, <%= @endpoint_module %>,
   url: [host: "example.com", port: 80],
   cache_static_manifest: "priv/static/cache_manifest.json"
+
+# Force using SSL in production. This also sets the "strict-security-transport" header,
+# also known as HSTS. `:force_ssl` is required to be set at compile-time.
+config :<%= @web_app_name %>, <%= @endpoint_module %>, force_ssl: [rewrite_on: [:x_forwarded_proto]]