diff --git a/config/environments/production.rb b/config/environments/production.rb
index f005b3846..e84c55211 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -58,7 +58,7 @@
   # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  config.force_ssl = ENV.fetch("FORCE_SSL", false)
+  config.force_ssl = ENV.fetch("FORCE_SSL", true)
 
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.
diff --git a/config/initializers/decidim.rb b/config/initializers/decidim.rb
index 3fce4bbc2..58055bfea 100644
--- a/config/initializers/decidim.rb
+++ b/config/initializers/decidim.rb
@@ -126,7 +126,7 @@
     config.base_uploads_path = ENV["HEROKU_APP_NAME"] + "/"
   end
 
-  config.force_ssl = ENV.fetch("FORCE_SSL", false)
+  config.force_ssl = ENV.fetch("FORCE_SSL", true)
 end
 
 Rails.application.config.i18n.available_locales = Decidim.available_locales