Is Plug.SSL required for forced SSL when running only an HTTPS Cowboy instance?

Questions / Help
,
1

I’m developing a web API with Plug and Cowboy, which I want to be available only over HTTPS for security reasons.

I have a single Cowboy instance running, configured as follows:

{
    Plug.Cowboy,
    scheme: :https,
    plug: MyApp.Plug,
    port: 443,
    cipher_suite: :strong,
    certfile: "path/to/cert",
    keyfile: "path/to/key",
}

Now I see that in the Plug HTTPS guide (https://hexdocs.pm/plug/https.html#content), using Plug.SSL is mentioned as a way to force HTTPS (by redirecting HTTP to HTTPS). This seems like something I would want, but I’m not sure if I actually need it: with the current configuration, my server already seems to not accept HTTP connections. For example, trying to connect via http://localhost:443 fails, and of course http://localhost:80 also fails.

It seems like when running Cowboy with the :https scheme, HTTP is not accepted, so Plug.SSL is not required? Plug.SSL would only be required if there was another Cowboy instance set to the :http scheme, serving on port 80 (which would then be redirected to the HTTPS instance)?
Is this reasoning correct? I’m concerned about misunderstanding this and potentially introducing security weaknesses.

2

Plug.SSL does a couple of things, and redirecting from HTTP to HTTPS is one of them. You may (or may not) want to use one of the other features, such as setting the HTTP Strict-Transport-Security response header.

3

Yes, but HSTS also works to make it such that communication is only done over HTTPS, not HTTP, right? So if Cowboy running with the https scheme doesn’t accept HTTP requests anyway, doesn’t that mean it makes no difference?

4

Your users won’t be able to connect to your site over plain HTTP. But if an attacker wanted to perform a MitM attack on your users, they might trick them into following an http: link to your site. Most users wouldn’t notice, and if the attacker could divert traffic (e.g. DNS poisoning) the could spoof your site and collect sensitive data from your users, or proxy to the legitimate https: url and snoop all data. HSTS will help prevent that.