Delegate HSTS to nginx.

Remove the ssl_options config option. Let nginx handle HSTS and
http->https redirects instead. At the rails level, all we need to do is
set the secure cookie flag when https is enabled (which we assume it's
enabled in production).

config/application.rb

@@ -46,17 +46,6 @@ module Danbooru
 
     config.log_tags = [->(req) {"PID:#{Process.pid}"}]
     config.action_controller.action_on_unpermitted_parameters = :raise
-    config.force_ssl = true
-
-    if Rails.env.production? && Danbooru.config.ssl_options.present?
-      config.ssl_options = Danbooru.config.ssl_options
-    else
-      config.ssl_options = {
-        hsts: false,
-        secure_cookies: false,
-        redirect: { exclude: ->(request) { true } }
-      }
-    end
 
     if File.exist?("#{config.root}/REVISION")
       config.x.git_hash = File.read("#{config.root}/REVISION").strip

config/danbooru_default_config.rb

@@ -187,26 +187,6 @@ module Danbooru
       }
     end
 
-    # Permanently redirect all HTTP requests to HTTPS.
-    #
-    # https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
-    # http://api.rubyonrails.org/classes/ActionDispatch/SSL.html
-    def ssl_options
-      {
-        redirect: { exclude: ->(request) { request.subdomain == "insecure" } },
-        hsts: {
-          expires: 1.year,
-          preload: true,
-          subdomains: false
-        }
-      }
-    end
-
-    # Disable the forced use of HTTPS.
-    # def ssl_options
-    #   false
-    # end
-
     # The name of the server the app is hosted on.
     def server_host
       Socket.gethostname

config/initializers/session_store.rb

@@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_danbooru2_session', domain: :all, tld_length: 2, same_site: :lax
+Rails.application.config.session_store :cookie_store, key: '_danbooru2_session', domain: :all, tld_length: 2, same_site: :lax, secure: Rails.env.production?