Your app can detect which protocol is being used by examining a request’s
X-Forwarded-Proto
header. See HTTP Request Headers for more information.FORCE_SSL
Configuration variable to true
(it must be set to the string true
, not just any value).
FORCE_SSL
in detail
Setting FORCE_SSL=true
on an app causes 2 things to happen:
- Your HTTP(S) Endpoints will redirect all HTTP requests to HTTPS.
- Your HTTP(S) Endpoints will set the
Strict-Transport-Security
header on responses with a max-age of 1 year.
Strict-Transport-Security
header before using this feature.
In particular, by design, clients that connect to your site and receive this header will refuse to reconnect via HTTP for up to a year after they receive the Strict-Transport-Security
header.
Enabling FORCE_SSL
To set FORCE_SSL
, you’ll need to use the aptible config:set
command.
The value must be set to the string true
(e.g., setting to 1
won’t work).