HTTPS Redirect¶
Tip
Your app can detect which protocol is being used by examining a
request’s X-Forwarded-Proto
header. See HTTP Request Headers
for more information.
By default, HTTP(S) Endpoints accept traffic over both HTTP and HTTPS.
To disallow HTTP and redirect traffic to HTTPS at the Endpoint level, you can
set the FORCE_SSL
Configuration variable to true
(it must be set
to the string true
, not just any value).
FORCE_SSL
in detail¶
Setting FORCE_SSL=true
on an app causes 2 things to happen:
- Your HTTP(S) Endpoints will redirect all HTTP requests to HTTPS.
- Your HTTP(S) Endpoints will set the
Strict-Transport-Security
header on responses with a max age of 1 year.
Make sure you understand the implications of setting the
Strict-Transport-Security
header before using this feature.
In particular, by design, clients that connect to your site and receive this
header will refuse to reconnect via HTTP for up to a year after they receive
the Strict-Transport-Security
header.
See also
Enabling FORCE_SSL
¶
To set FORCE_SSL
, you’ll need to use the aptible config:set
command.
The value must be set to the string true
(e.g. setting to 1
won’t
work).
aptible config:set --app "$APP_HANDLE" \
"FORCE_SSL=true"