From 77360710369599fdc95e9689cfddfd3e6e4ccc2e Mon Sep 17 00:00:00 2001
From: Mike Zornek <zorn@zornlabs.com>
Date: Sun, 8 Sep 2024 15:11:58 -0400
Subject: [PATCH 1/2] Add sobelow config file that notes our intent to ignore
 the `Config.HTTPS` check for now. Update CI to use this config file.

---
 .github/workflows/code-quality.yaml | 2 +-
 .sobelow-conf                       | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 .sobelow-conf

diff --git a/.github/workflows/code-quality.yaml b/.github/workflows/code-quality.yaml
index 4e08277..2fec16f 100644
--- a/.github/workflows/code-quality.yaml
+++ b/.github/workflows/code-quality.yaml
@@ -42,5 +42,5 @@ jobs:
         if: always()
 
       - name: Check for security vulnerabilities in Phoenix project
-        run: mix sobelow
+        run: mix sobelow --config
         if: always()
diff --git a/.sobelow-conf b/.sobelow-conf
new file mode 100644
index 0000000..bbc66eb
--- /dev/null
+++ b/.sobelow-conf
@@ -0,0 +1 @@
+[verbose: true, private: false, skip: false, router: nil, exit: false, format: "txt", out: nil, threshold: :low, ignore: ["Config.HTTPS"], ignore_files: [], version: false]
\ No newline at end of file

From f084a1b89e5678bb47b3f70350fa4c43837ad514 Mon Sep 17 00:00:00 2001
From: Mike Zornek <zorn@zornlabs.com>
Date: Sun, 8 Sep 2024 15:12:09 -0400
Subject: [PATCH 2/2] Comment out `force_ssl` for now.

---
 config/prod.exs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/config/prod.exs b/config/prod.exs
index c7d1bf8..a68fb4f 100644
--- a/config/prod.exs
+++ b/config/prod.exs
@@ -1,15 +1,17 @@
 import Config
 
 config :flick, FlickWeb.Endpoint,
+  # https://hexdocs.pm/phoenix/using_ssl.html#hsts
+  # FIXME: Restore this in the future.
+  # https://github.com/zorn/flick/issues/85
+  # force_ssl: [hsts: true]
+
   # Note we also include the path to a cache manifest
   # containing the digested version of static files. This
   # manifest is generated by the `mix assets.deploy` task,
   # which you should run after static files are built and
   # before starting your production server.
-  cache_static_manifest: "priv/static/cache_manifest.json",
-
-  # https://hexdocs.pm/phoenix/using_ssl.html#hsts
-  force_ssl: [hsts: true]
+  cache_static_manifest: "priv/static/cache_manifest.json"
 
 # Configures Swoosh API Client
 config :swoosh, api_client: Swoosh.ApiClient.Finch, finch_name: Flick.Finch