Your app can detect which protocol is being used by examining a request’s X-Forwarded-Proto header. See HTTP Request Headers for more information.

By default, HTTP(S) Endpoints accept traffic over both HTTP and HTTPS. To disallow HTTP and redirect traffic to HTTPS at the Endpoint level, you can set the FORCE_SSL Configuration variable to true (it must be set to the string true, not just any value).

`FORCE_SSL` in detail

Setting FORCE_SSL=true on an app causes 2 things to happen:

Your HTTP(S) Endpoints will redirect all HTTP requests to HTTPS.
Your HTTP(S) Endpoints will set the Strict-Transport-Security header on responses with a max-age of 1 year.

Make sure you understand the implications of setting the Strict-Transport-Security header before using this feature. In particular, by design, clients that connect to your site and receive this header will refuse to reconnect via HTTP for up to a year after they receive the Strict-Transport-Security header.

Enabling `FORCE_SSL`

To set FORCE_SSL, you’ll need to use the aptible config:set command. The value must be set to the string true (e.g., setting to 1 won’t work).

aptible config:set --app "$APP_HANDLE" \
        "FORCE_SSL=true"

HTTPS Protocols Maintenance Page

⌘I

Getting Started

Core Concepts

Reference

HTTPS Redirect

`FORCE_SSL` in detail

Enabling `FORCE_SSL`

Getting Started

Core Concepts

Reference

​FORCE_SSL in detail

​Enabling FORCE_SSL

`FORCE_SSL` in detail

Enabling `FORCE_SSL`