Which I read as convert any “HEAD” method to “GET” otherwise pass the request unchanged.
So, maybe it doesn’t strip the response body? But then I started wondering how would you strip the response body (or do anything at all with the response). Isn’t the controller the last plug that gets executed in the pipeline in a default generated Phoenix app? Am I misunderstanding how plugs are called or work?
It’s not really enough in most cases to just have the application not send a body to a HEAD response. RFC9110§9.3.2 (and other parts of the spec) say that a HEAD response should ideally look exactly like the equivalent GET in every way except for the lack of response body. Specifically, headers such as content-length, etags, and others should be the same. In order for Bandit to know what content-length to send, it needs to have the application try and send the response body; it’s Bandit’s responsibility to elide the body if necessary.
You’re right, that plug does not strip the response body, doc bug.
And yes - the controller is the last plug by default. You can add other plugs in your Endpoint after the Router if you want, but they can’t affect the response because the render call both creates the response body AND sends it via the http adapter.
