📘 Your app can detect which protocol is being used by examining a request's
X-Forwarded-Protoheader. See HTTP Request Headers for more information.
By default, HTTP(S) Endpoints accept traffic over both HTTP and HTTPS.
To disallow HTTP and redirect traffic to HTTPS at the Endpoint level, you can set the
FORCE_SSL Configuration variable to
true (it must be set to the string
true, not just any value).
FORCE_SSL in detail
FORCE_SSL=true on an app causes 2 things to happen:
- Your HTTP(S) Endpoints will redirect all HTTP requests to HTTPS.
- Your HTTP(S) Endpoints will set the
Strict-Transport-Securityheader on responses with a max-age of 1 year.
Make sure you understand the implications of setting the
Strict-Transport-Security header before using this feature.
In particular, by design, clients that connect to your site and receive this header will refuse to reconnect via HTTP for up to a year after they receive the
FORCE_SSL, you'll need to use the
aptible config:set command.
The value must be set to the string
true (e.g., setting to
1 won't work).
aptible config:set --app "$APP_HANDLE" \ "FORCE_SSL=true"