diff --git a/cms/envs/aws.py b/cms/envs/aws.py
index 3132b03b37..29cdb486ad 100644
--- a/cms/envs/aws.py
+++ b/cms/envs/aws.py
@@ -45,6 +45,14 @@ EMAIL_BACKEND = 'django_ses.SESBackend'
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
 DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage'
 
+# IMPORTANT: With this enabled, the server must always be behind a proxy that
+# strips the header HTTP_X_FORWARDED_PROTO from client requests. Otherwise,
+# a user can fool our server into thinking it was an https connection.
+# See
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header
+# for other warnings.
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+
 ###################################### CELERY  ################################
 
 # Don't use a connection pool, since connections are dropped by ELB.