# HTTPS Configuration Guide

## Overview

This document explains the environment-based HTTPS configuration implemented in the UPI PSP Platform to allow flexible development while maintaining security in production.

## Changes Made

### 1. Security Headers Configuration (`lib/da_product_app_web/plugs/security_headers.ex`)

**Before:**
- `upgrade-insecure-requests` CSP directive was applied in all environments
- This forced browsers to upgrade HTTP requests to HTTPS even in development

**After:**
- `upgrade-insecure-requests` is now only applied in production environment
- Development environments can use HTTP without automatic HTTPS upgrades

```elixir
# Only upgrade insecure requests in production for security
base_policy = if Mix.env() == :prod do
  base_policy ++ ["upgrade-insecure-requests"]
else
  base_policy
end
```

### 2. Session Cookie Security (`lib/da_product_app_web/endpoint.ex`)

**Enhancement:**
- Added explicit `secure: Mix.env() == :prod` to session options
- Ensures cookies are only marked as secure in production
- Allows session cookies to work over HTTP in development

```elixir
@session_options [
  store: :cookie,
  key: "_da_product_app_key",
  signing_salt: "3VV41hZ9",
  same_site: "Lax",
  # Only secure cookies in production to allow HTTP in development
  secure: Mix.env() == :prod
]
```

## Environment Configuration

### Development (HTTP Allowed)
- **URL:** `http://localhost:4040` or `http://127.0.0.1:4040`
- **Protocol:** HTTP is allowed and functional
- **CSP:** No `upgrade-insecure-requests` directive
- **Cookies:** Not marked as secure, work over HTTP
- **Configuration:** `config/dev.exs` - `http: [ip: {0, 0, 0, 0}, port: 4040]`

### Production (HTTPS Enforced)
- **Protocol:** HTTPS is enforced via `force_ssl` configuration
- **CSP:** Includes `upgrade-insecure-requests` directive
- **Cookies:** Marked as secure, require HTTPS
- **HSTS:** Enabled with `hsts: true`
- **Configuration:** `config/prod.exs` - `force_ssl: [hsts: true, host: nil]`

## Testing the Configuration

### 1. Development Mode Testing
```bash
# Start the application in development mode
mix phx.server

# Test HTTP access (should work)
curl -I http://localhost:4040

# Check CSP headers (should NOT include upgrade-insecure-requests)
curl -H "Accept: text/html" http://localhost:4040 | grep -i content-security-policy
```

### 2. Production Mode Testing
```bash
# Compile for production
MIX_ENV=prod mix compile

# Start in production mode (requires proper SSL setup)
MIX_ENV=prod mix phx.server

# Test HTTPS enforcement and headers
curl -I https://your-domain.com
```

## Security Considerations

### Development Environment
- HTTP is allowed for easier development workflow
- No automatic HTTPS upgrades via CSP
- Session cookies work over HTTP
- **Important:** Never use development configuration in production

### Production Environment
- HTTPS is strictly enforced via Phoenix's `force_ssl`
- CSP includes `upgrade-insecure-requests` for additional security
- HSTS headers prevent downgrade attacks
- All security headers are applied as per financial platform requirements

## Configuration Files Modified

1. `lib/da_product_app_web/plugs/security_headers.ex`
   - Made `upgrade-insecure-requests` CSP directive conditional
   - Updated documentation

2. `lib/da_product_app_web/endpoint.ex`
   - Added environment-based cookie security configuration

3. `config/prod.exs` (existing)
   - Contains `force_ssl: [hsts: true, host: nil]` for production HTTPS enforcement

4. `config/dev.exs` (existing)
   - Contains `http: [ip: {0, 0, 0, 0}, port: 4040]` for development HTTP access

## Troubleshooting

### Issue: Browser still tries to use HTTPS in development

**Possible Causes:**
1. Browser has cached HSTS settings from previous production visits
2. Browser has cached the CSP policy with `upgrade-insecure-requests`

**Solutions:**
1. Clear browser cache and cookies for localhost
2. Use incognito/private browsing mode
3. Test with a different browser
4. Use developer tools to disable cache

### Issue: Application fails to start in production

**Check:**
1. SSL certificates are properly configured
2. `force_ssl` configuration is present in `config/prod.exs`
3. Environment variables for SSL are set correctly

## Best Practices

1. **Always test in development mode** before deploying to production
2. **Use HTTPS in staging** environments that mirror production
3. **Regularly review security headers** using tools like SSL Labs or security scanners
4. **Keep CSP policies updated** as application features evolve
5. **Monitor for mixed content warnings** in browser console

## Related Files

- Security implementation: `lib/da_product_app_web/plugs/security_headers.ex`
- Endpoint configuration: `lib/da_product_app_web/endpoint.ex`
- Development config: `config/dev.exs`
- Production config: `config/prod.exs`
- Security documentation: `docs/guides/SECURITY_HEADERS_IMPLEMENTATION.md`