Consolidate settings to avoid setting DEPLOY_ENVIRONMENT

cfpb · Dec 11, 2024 · 892b8cf · 892b8cf
1 parent 99a0bc8
commit 892b8cf
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/cfgov/cfgov/settings/production.py b/cfgov/cfgov/settings/production.py
@@ -113,7 +113,12 @@
 SECURE_HSTS_INCLUDE_SUBDOMAINS = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_HSTS_PRELOAD = True
-SECURE_SSL_REDIRECT = True
+
+# In production deployments SSL is never terminated at the Django application,
+# so in practice Django will never receive secure requests. HTTP requests must
+# always come with an "X-Forwarded-Proto: https" header if this is set to True
+# or this we get into a redirect loop.
+SECURE_SSL_REDIRECT = False
 
 # Require the SECRET_KEY as an environment variable
 SECRET_KEY = os.getenv("SECRET_KEY")
@@ -144,8 +149,3 @@
     LOGGING["loggers"]["mozilla_django_oidc"] = {
         "level": "INFO",
     }
-
-if DEPLOY_ENVIRONMENT == "container":
-    # This can result in a redirect loop if True and an X-Forwarded-Proto
-    # header is not provided.
-    SECURE_SSL_REDIRECT = False