diff --git a/course_discovery/settings/production.py b/course_discovery/settings/production.py
index bb2c408853..44609c0bd0 100644
--- a/course_discovery/settings/production.py
+++ b/course_discovery/settings/production.py
@@ -94,3 +94,10 @@
     k.lower(): (v.replace("\\n", "\n") if k.lower() == "private_key" else v)
     for (k, v) in GOOGLE_SERVICE_ACCOUNT_CREDENTIALS.items()
 }
+
+# IMPORTANT: With this enabled, the server must always be behind a proxy that
+# strips the header X_FORWARDED_PROTO from client requests. Otherwise,
+# a user can fool our server into thinking it was an https connection.
+# See https://docs.djangoproject.com/en/5.1/ref/settings/#secure-proxy-ssl-header
+# for other warnings.
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')