We should redirect insecure requests to the https version when not running locally. RACK_ENV would suffice as a flag for when to do this I believe.
Ideally we could also add HSTS headers to the API without the subdomain flag and set to expire after one year.
We should redirect insecure requests to the https version when not running locally.
RACK_ENVwould suffice as a flag for when to do this I believe.Ideally we could also add HSTS headers to the API without the subdomain flag and set to expire after one year.