Merge pull request #2275 from manyfold3d/force-ssl

Add FORCE_HTTPS env option to force secure-only connections

config/environments/production.rb

@@ -46,7 +46,7 @@
   # config.action_cable.allowed_request_origins = [ "http://example.com", /http:\/\/example.*/ ]
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = (ENV.fetch("HTTPS_ONLY", nil) === "enabled")
 
   # Include generic and useful information about system operation, but avoid logging too much
   # information to avoid inadvertent exposure of personally identifiable information (PII).