diff --git a/.env.sample b/.env.sample
index 32f80266..516f8283 100644
--- a/.env.sample
+++ b/.env.sample
@@ -11,6 +11,8 @@ REDIS_URL=redis://redis:6379
 
 URL=http://localhost:3000
 PORT=3000
+# enforce https in production mode (optional - default is true)
+# FORCE_HTTPS=true
 
 DEPLOYMENT=self
 ENABLE_UPDATES=true
diff --git a/server/app.js b/server/app.js
index 19c58ab6..1241cb9f 100644
--- a/server/app.js
+++ b/server/app.js
@@ -75,12 +75,16 @@ if (process.env.NODE_ENV === 'development') {
 
   app.use(mount('/emails', emails));
 } else if (process.env.NODE_ENV === 'production') {
-  // Force HTTPS on all pages
-  app.use(
-    enforceHttps({
-      trustProtoHeader: true,
-    })
-  );
+  // Force redirect to HTTPS protocol unless explicitly disabled
+  if (process.env.FORCE_HTTPS !== 'false') {
+    app.use(
+      enforceHttps({
+        trustProtoHeader: true,
+      })
+    );
+  } else {
+    console.warn('Enforced https was disabled with FORCE_HTTPS env variable');
+  }
 
   // trust header fields set by our proxy. eg X-Forwarded-For
   app.proxy = true;