diff --git a/lib/index.js b/lib/index.js
index 697c984..8c806bd 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -18,11 +18,16 @@ const port = process.env.PORT
 const certEndpoint = process.env.CERT_ENDPOINT || ''
 const certSecret = process.env.CERT_SECRET || ''
 const isDevelopment = process.env.NODE_ENV === 'development'
+const enforceHTTPS = Boolean(process.env.ENFORCE_HTTPS)
 
 const app = express()
 const appLogger = createAppLogger({ dev: isDevelopment })
 
-app.use(forceSecure)
+// Force app to always redirect to HTTPS
+// use when you can't configure web server
+if (enforceHTTPS) {
+  app.use(forceSecure)
+}
 
 // Server logs
 app.use(createRouteLogger({ dev: isDevelopment }))
diff --git a/readme.MD b/readme.MD
index e74bcd6..8df911a 100644
--- a/readme.MD
+++ b/readme.MD
@@ -30,7 +30,7 @@ The app is automatically set up to create logs in `logs/` directory each day but
 
 ### HTTPS
 
-App contains middleware that will redirect all traffic to HTTPS if the requests contain header `X-FORWARDED-PROTO`.
+App contains middleware that will redirect all traffic to HTTPS if the requests contain header `X-FORWARDED-PROTO`. For this to work, the middleware has to be enabled by setting environment variable `ENFORCE_HTTPS` to value `1`.
 
 There are environment variables for setting pu SSL certificate from Let's Encrypt (acme challenge): `CERT_ENDPOINT` and `CERT_SECRET`.