Restrict graphql content types (#458)

* include subdomains in hsts rule

* handle web and graphql content-types separately

* revert hsts include subdomains

lib/elixir_boilerplate_graphql/router.ex

@@ -5,6 +5,13 @@ defmodule ElixirBoilerplateGraphQL.Router do
     @moduledoc false
     use Plug.Router
 
+    plug(
+      Plug.Parsers,
+      parsers: [:json],
+      pass: [],
+      json_decoder: Phoenix.json_library()
+    )
+
     plug(:match)
     plug(:dispatch)
 

lib/elixir_boilerplate_web/endpoint.ex

@@ -40,13 +40,6 @@ defmodule ElixirBoilerplateWeb.Endpoint do
   plug(Plug.RequestId)
   plug(Plug.Telemetry, event_prefix: [:phoenix, :endpoint])
 
-  plug(
-    Plug.Parsers,
-    parsers: [:urlencoded, :multipart, :json],
-    pass: ["*/*"],
-    json_decoder: Phoenix.json_library()
-  )
-
   plug(Sentry.PlugContext,
     body_scrubber: {ElixirBoilerplate.Errors.Sentry, :scrub_params},
     remote_address_reader: {ElixirBoilerplate.Errors.Sentry, :scrubbed_remote_address}

lib/elixir_boilerplate_web/router.ex

@@ -4,6 +4,13 @@ defmodule ElixirBoilerplateWeb.Router do
   import Phoenix.LiveView.Router
 
   pipeline :browser do
+    plug(
+      Plug.Parsers,
+      parsers: [:urlencoded, :multipart, :json],
+      pass: ["*/*"],
+      json_decoder: Phoenix.json_library()
+    )
+
     plug(:accepts, ["html", "json"])
 
     plug(:session)