Make force_ssl true by default

Better to stay on the safe side. This requires to set the FORCE_SSL env var in staging as false and makes it optional in production.
CoopCat-Confederacio-de-Cooperatives · Nov 4, 2020 · 77c82f6 · 77c82f6
1 parent 6d798ed
commit 77c82f6
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -58,7 +58,7 @@
   # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  config.force_ssl = ENV.fetch("FORCE_SSL", false)
+  config.force_ssl = ENV.fetch("FORCE_SSL", true)
 
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.

diff --git a/config/initializers/decidim.rb b/config/initializers/decidim.rb
@@ -126,7 +126,7 @@
     config.base_uploads_path = ENV["HEROKU_APP_NAME"] + "/"
   end
 
-  config.force_ssl = ENV.fetch("FORCE_SSL", false)
+  config.force_ssl = ENV.fetch("FORCE_SSL", true)
 end
 
 Rails.application.config.i18n.available_locales = Decidim.available_locales