From e3b42b2f10d325daefaaa9767102c6ece2f3dc5a Mon Sep 17 00:00:00 2001
From: Samuel Georges <sam@daftspunk.com>
Date: Sat, 18 Jan 2020 18:04:29 +1100
Subject: [PATCH] Make cms.backendForceSecure an explicit setting

This no longer hinges on app.debug because it creates confusion for devops engineers. This is based on three independent reports coming from app environments that use a reverse proxy. The engineer will follow the proper security instructions by disabling debug mode, which in turn creates an infinite redirect loop when opening the back-end area, only to leave them scratching their heads

Ultimately it is the web server configuration's job to handle the enforcement of HTTPS, the app no longer enforces it as a strong opinion, but we still keep the setting available as a convenient security check for standard environments that do not use a reverse proxy
---
 config/cms.php                               | 6 +++---
 modules/system/traits/SecurityController.php | 7 +------
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/config/cms.php b/config/cms.php
index acb98db9a..4c838a026 100644
--- a/config/cms.php
+++ b/config/cms.php
@@ -44,12 +44,12 @@ return [
     |--------------------------------------------------------------------------
     |
     | Use this setting to force a secure protocol when accessing any back-end
-    | pages, including the authentication pages. If set to null, this setting
-    | is enabled when debug mode (app.debug) is disabled.
+    | pages, including the authentication pages. This is usually handled by
+    | web server config, but can be handled by the app for added security.
     |
     */
 
-    'backendForceSecure' => null,
+    'backendForceSecure' => false,
 
     /*
     |--------------------------------------------------------------------------
diff --git a/modules/system/traits/SecurityController.php b/modules/system/traits/SecurityController.php
index 66da07ee8..9405cb9e3 100644
--- a/modules/system/traits/SecurityController.php
+++ b/modules/system/traits/SecurityController.php
@@ -82,11 +82,6 @@ trait SecurityController
             return true;
         }
 
-        $forceSecure = Config::get('cms.backendForceSecure', null);
-        if ($forceSecure === null) {
-            $forceSecure = !Config::get('app.debug', false);
-        }
-
-        return !$forceSecure;
+        return !Config::get('cms.backendForceSecure', false);
     }
 }