Some secure settings prevent redirect

HI, I deployed a Django application to Railway. It’s based on the MDN Tutorial. But there are two recommended security settings that I haven’t been able to get to work: SECURE_SSL_REDIRECT and SESSION_COOKIE_SECURE. If I set either of these to True, the browser (Firefox, Chrome) reports a “redirect failure” for any requested page. If these are both set False, the application appears to work correctly. The site is SSL enabled by default so I’m not sure if these settings are necessary.

I have the setting CSRF_COOKIE_SECURE set True, but it is not causing any errors when I submit a form. I haven’t tested the SECURE_HSTS_SECONDS setting yet.

EDIT: This is what shows in Firefox:

The page isn’t redirecting properly
An error occurred during a connection to web-production-78d2.up.railway.app.
This problem can sometimes be caused by disabling or refusing to accept cookies.

I have logging to the console turned on at the INFO level but nothing is getting logged on this.

See the docs for SECURE_SSL_REDIRECT. I’d guess that the “Note” box is particularly relevant here. If so, then having SECURE_SSL_REDIRECT=False doesn’t matter.

Thanks, Ken. I think you’re right, there must be a proxy server which is returning 301 ‘moved permanently’ to effectively redirect any insecure http requests to https.