mitre · aaronlippold · Oct 20, 2025 · Oct 21, 2025
diff --git a/.env.production.example b/.env.production.example
@@ -95,7 +95,7 @@ STRUCTURED_LOGGING=true
 RAILS_MAX_THREADS=5
 WEB_CONCURRENCY=2
 
-# Force SSL in production
+# Force SSL in production (set to false for local/dev Kubernetes without ingress TLS)
 FORCE_SSL=true
 
 # Serve static files (required for Docker)

diff --git a/.github/workflows/push-to-docker.yml b/.github/workflows/push-to-docker.yml
@@ -37,4 +37,4 @@ jobs:
           context: .
           push: true
           tags: mitre/vulcan:${{ env.TAG }}
-          # platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64,linux/arm64
diff --git a/ENVIRONMENT_VARIABLES.md b/ENVIRONMENT_VARIABLES.md
@@ -204,7 +204,7 @@ This ensures OIDC auto-discovery events and all application logs are visible in
 | `RAILS_MASTER_KEY` | Rails master key for credentials | - | Generated by Rails |
 | `RAILS_LOG_TO_STDOUT` | Log to stdout instead of files | - | `true` |
 | `RAILS_SERVE_STATIC_FILES` | Serve static files in production | - | `true` |
-| `FORCE_SSL` | Force SSL connections | - | `true` |
+| `FORCE_SSL` | Force SSL connections (set to `false` for local/dev clusters without ingress TLS) | - | `true` |
 
 ## Container Logging (Production)
 

diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -26,11 +26,13 @@
   # Store uploaded files on the local file system (see config/storage.yml for options).
   config.active_storage.service = :local
 
-  # Assume all access to the app is happening through a SSL-terminating reverse proxy.
-  config.assume_ssl = true
+  # SSL Configuration - controlled by FORCE_SSL environment variable
+  # - When true: Assumes SSL termination at proxy, forces HTTPS, uses secure cookies (production default)
+  # - When false: Allows HTTP, generates http:// URLs (for local/dev Kubernetes without ingress)
+  force_ssl_enabled = ENV.fetch('FORCE_SSL', 'true') == 'true'
 
-  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  config.force_ssl = true
+  config.assume_ssl = force_ssl_enabled
+  config.force_ssl = force_ssl_enabled
 
   # Skip http-to-https redirect for the default health check endpoint.
   # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }

diff --git a/docs/getting-started/environment-variables.md b/docs/getting-started/environment-variables.md
@@ -204,7 +204,7 @@ This ensures OIDC auto-discovery events and all application logs are visible in
 | `RAILS_MASTER_KEY` | Rails master key for credentials | - | Generated by Rails |
 | `RAILS_LOG_TO_STDOUT` | Log to stdout instead of files | - | `true` |
 | `RAILS_SERVE_STATIC_FILES` | Serve static files in production | - | `true` |
-| `FORCE_SSL` | Force SSL connections | - | `true` |
+| `FORCE_SSL` | Force SSL connections (set to `false` for local/dev clusters without ingress TLS) | - | `true` |
 
 ## Container Logging (Production)