diff --git a/config/cms.php b/config/cms.php
index acb98db9a..4c838a026 100644
--- a/config/cms.php
+++ b/config/cms.php
@@ -44,12 +44,12 @@ return [
     |--------------------------------------------------------------------------
     |
     | Use this setting to force a secure protocol when accessing any back-end
-    | pages, including the authentication pages. If set to null, this setting
-    | is enabled when debug mode (app.debug) is disabled.
+    | pages, including the authentication pages. This is usually handled by
+    | web server config, but can be handled by the app for added security.
     |
     */
 
-    'backendForceSecure' => null,
+    'backendForceSecure' => false,
 
     /*
     |--------------------------------------------------------------------------
diff --git a/modules/system/traits/SecurityController.php b/modules/system/traits/SecurityController.php
index 66da07ee8..9405cb9e3 100644
--- a/modules/system/traits/SecurityController.php
+++ b/modules/system/traits/SecurityController.php
@@ -82,11 +82,6 @@ trait SecurityController
             return true;
         }
 
-        $forceSecure = Config::get('cms.backendForceSecure', null);
-        if ($forceSecure === null) {
-            $forceSecure = !Config::get('app.debug', false);
-        }
-
-        return !$forceSecure;
+        return !Config::get('cms.backendForceSecure', false);
     }
 }