From 3292d95d8b3ea7ebee13f41f42385cdf87437767 Mon Sep 17 00:00:00 2001
From: Juncheol Cho <zironycho@gmail.com>
Date: Thu, 19 Sep 2019 15:26:27 +0900
Subject: [PATCH] chore: add env parameter for enforce https (#1042)

* env parameter for enforce https

* Update app.js

fix format for multi-line condition

* Update app.js

fix code format

* Update app.js
---
 .env.sample   |  2 ++
 server/app.js | 16 ++++++++++------
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/.env.sample b/.env.sample
index 32f80266f..516f8283e 100644
--- a/.env.sample
+++ b/.env.sample
@@ -11,6 +11,8 @@ REDIS_URL=redis://redis:6379
 
 URL=http://localhost:3000
 PORT=3000
+# enforce https in production mode (optional - default is true)
+# FORCE_HTTPS=true
 
 DEPLOYMENT=self
 ENABLE_UPDATES=true
diff --git a/server/app.js b/server/app.js
index 19c58ab6a..1241cb9f3 100644
--- a/server/app.js
+++ b/server/app.js
@@ -75,12 +75,16 @@ if (process.env.NODE_ENV === 'development') {
 
   app.use(mount('/emails', emails));
 } else if (process.env.NODE_ENV === 'production') {
-  // Force HTTPS on all pages
-  app.use(
-    enforceHttps({
-      trustProtoHeader: true,
-    })
-  );
+  // Force redirect to HTTPS protocol unless explicitly disabled
+  if (process.env.FORCE_HTTPS !== 'false') {
+    app.use(
+      enforceHttps({
+        trustProtoHeader: true,
+      })
+    );
+  } else {
+    console.warn('Enforced https was disabled with FORCE_HTTPS env variable');
+  }
 
   // trust header fields set by our proxy. eg X-Forwarded-For
   app.proxy = true;