After struggling to understand how to force_ssl via redirection on my application for local development I had the epiphany.
Why do I care about forcing https via request redirection on local development? Which lead me to think, wait why is
http the default request protocol for phoenix? Isn’t using
http the minority use case now for production, If so why isn’t that true for local development?
One could argue, "why not just disable
http for local development if you want to force
https" which I think is a valid solution to this issue and may require less effort overall. After all we typically have to specify the port explicitly so you almost always say the full url when working locally.
Beyond that I find setting up the local certs to be a better practice since its going to be a closer representation of my production env and can help me quickly identify requests in my application that are not secure. So then why is it that everyone is still having to reconfigure the default from http to https? Why isn’t
https the default for development and what do you think that should or not look like?