HTTPS Redirect

Tip

Your app can detect which protocol is being used by examining a request’s X-Forwarded-Proto header. See HTTP Request Headers for more information.

By default, HTTP(S) Endpoints accept traffic over both HTTP and HTTPS.

To disallow HTTP and redirect traffic to HTTPS at the Endpoint level, you can set the FORCE_SSL Configuration variable to true (it must be set to the string true, not just any value).

FORCE_SSL in detail

Setting FORCE_SSL=true on an app causes 2 things to happen:

  • Your HTTP(S) Endpoints will redirect all HTTP requests to HTTPS.
  • Your HTTP(S) Endpoints will set the Strict-Transport-Security header on responses with a max age of 1 year.

Make sure you understand the implications of setting the Strict-Transport-Security header before using this feature.

In particular, by design, clients that connect to your site and receive this header will refuse to reconnect via HTTP for up to a year after they receive the Strict-Transport-Security header.

Enabling FORCE_SSL

To set FORCE_SSL, you’ll need to use the aptible config:set command.

The value must be set to the string true (e.g. setting to 1 won’t work).

aptible config:set --app "$APP_HANDLE" \
        "FORCE_SSL=true"