From 1ce76a8ca6823b5775694e6a84b9c9222a65e315 Mon Sep 17 00:00:00 2001
From: Eldad Fux <eldad.fux@gmail.com>
Date: Mon, 1 Jun 2020 22:58:58 +0300
Subject: [PATCH 1/3] Fix for #368

---
 Dockerfile                              | 1 +
 app/app.php                             | 8 ++++++++
 docker-compose.yml                      | 1 +
 docs/tutorials/environment-variables.md | 6 +++++-
 4 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index fe84acfe6..efd1344c5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -51,6 +51,7 @@ ENV TZ=Asia/Tel_Aviv \
     _APP_HOME=https://appwrite.io \
     _APP_EDITION=community \
     _APP_OPTIONS_ABUSE=enabled \
+    _APP_OPTIONS_FORCE_HTTPS=disabled \
     _APP_OPENSSL_KEY_V1=your-secret-key \
     _APP_STORAGE_LIMIT=104857600 \
     _APP_STORAGE_ANTIVIRUS=enabled \
diff --git a/app/app.php b/app/app.php
index a72116a76..1dbaa418e 100644
--- a/app/app.php
+++ b/app/app.php
@@ -82,6 +82,14 @@ $utopia->init(function () use ($utopia, $request, $response, &$user, $project, $
      * As recommended at:
      * @see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
      */
+    if ($request->getServer('_APP_OPTIONS_FORCE_HTTPS', 'disabled') === 'enabled') { // Force HTTPS
+        if(Config::getParam('protocol') !== 'https') {
+           return $response->redirect('https://' . Config::getParam('domain').$request->getServer('REQUEST_URI'));
+        }
+
+        $response->addHeader('Strict-Transport-Security', 'max-age='.(60 * 60 * 24 * 126)); // 126 days
+    }    
+
     $response
         ->addHeader('Server', 'Appwrite')
         ->addHeader('X-XSS-Protection', '1; mode=block; report=/v1/xss?url='.urlencode($request->getServer('REQUEST_URI')))
diff --git a/docker-compose.yml b/docker-compose.yml
index 891346152..5ceffe160 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -66,6 +66,7 @@ services:
       #- _APP_ENV=production
       - _APP_ENV=development
       - _APP_OPTIONS_ABUSE=disabled
+      - _APP_OPTIONS_FORCE_HTTPS=enabled
       - _APP_OPENSSL_KEY_V1=your-secret-key
       - _APP_DOMAIN=demo.appwrite.io
       - _APP_DOMAIN_TARGET=demo.appwrite.io
diff --git a/docs/tutorials/environment-variables.md b/docs/tutorials/environment-variables.md
index 712c1f1e0..a44e97785 100644
--- a/docs/tutorials/environment-variables.md
+++ b/docs/tutorials/environment-variables.md
@@ -10,7 +10,11 @@ Set your server running environment. By default, the var is set to 'development'
 
 ### _APP_OPTIONS_ABUSE
 
-Allows you to disable abuse checks and API rate limiting. By default, set to 'enabled'. To cancel the abuse checking, set to 'disabled'. It is not recommended to disable this check-in a production environment.
+Allows you to disable abuse checks and API rate limiting. By default, set to 'enabled'. To cancel the abuse checking, set to 'disabled'. It is not recommended to disable this feature in a production environment.
+
+### _APP_OPTIONS_FORCE_HTTPS
+
+Allows you to force HTTPS connection to your API. This feature redirects any HTTP call to HTTPS and adds the 'Strict-Transport-Security' header to all HTTP responses. By default, set to 'disabled'. To enable, set to 'enabled'. This feature will work only when your ports are set to default 80 and 443.
 
 ### _APP_OPENSSL_KEY_V1
 

From aade815c6b4266cb70f8150a02d8310394863c46 Mon Sep 17 00:00:00 2001
From: Eldad Fux <eldad.fux@gmail.com>
Date: Mon, 1 Jun 2020 23:25:56 +0300
Subject: [PATCH 2/3] Updated dev settings

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 5ceffe160..58c374a98 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -66,7 +66,7 @@ services:
       #- _APP_ENV=production
       - _APP_ENV=development
       - _APP_OPTIONS_ABUSE=disabled
-      - _APP_OPTIONS_FORCE_HTTPS=enabled
+      - _APP_OPTIONS_FORCE_HTTPS=disabled
       - _APP_OPENSSL_KEY_V1=your-secret-key
       - _APP_DOMAIN=demo.appwrite.io
       - _APP_DOMAIN_TARGET=demo.appwrite.io

From a670a9ded0ade734ca53f4fc25acd5bc37ae798c Mon Sep 17 00:00:00 2001
From: Eldad Fux <eldad.fux@gmail.com>
Date: Thu, 4 Jun 2020 14:04:30 +0300
Subject: [PATCH 3/3] Updated change log

---
 CHANGES.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGES.md b/CHANGES.md
index b1a7cc02a..45063f7f0 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -3,6 +3,7 @@
 ## Features
 
 - New route in Locale API to fetch a list of languages
+- Added option to force HTTPS connection to the Appwrite server (_APP_OPTIONS_FORCE_HTTPS)
 
 ## Bug Fixes