Heroku app insisting on HTTPS - why?

Question

I have an interesting little problem - an app on Heroku is configured to use Heroku SSL (beta) but it seems to want to use HTTPS for everything, nomatter what I do.

Bro

Answer 1

Check that your browser is not redirecting because of a previous HSTS header.

When you enable force_ssl on Rails, the middleware automatically appends the header:

Strict-Transport-Security

with an expiration of 1 year. If you then disable it, your browser will keep the information stored until the expiration and will refuse to connect to the HTTP version of the site anyway.

You can remove the setting from your browser. However, please note that any user that previously accessed your website will be affected by the same behavior as this is the purpose of the HSTS header.

Therefore, in order to maintain compatibility with users who visited the site previously, you should still provide the HTTPS version and avoid sending the HSTS header (or setting it to a very short expiration).