Set force_ssl for webapp unless using self signed certs
#8553 reports insecure cookies. These show up if force_ssl is set to false for the webapp. Sadly this is the default because the setting also turns on hsts - which in turn breaks usage with self signed certs.
I'm not sure if we want to change the default. Ideally we would be able to detect if a provider has self signed or proper certs and base this setting on that.
Once the webapp has been updated to rails 5 cookies can be secured without turning on hsts. However we will still want to turn on hsts where possible. So a mechanism to detect or configure wether we are using self signed certs or not would be good either way.
(from redmine: created on 2016-11-11, relates #8553, relates #3514 (closed))