diff --git a/rhodecode/lib/middleware/https_fixup.py b/rhodecode/lib/middleware/https_fixup.py
--- a/rhodecode/lib/middleware/https_fixup.py
+++ b/rhodecode/lib/middleware/https_fixup.py
@@ -35,11 +35,16 @@ class HttpsFixup(object):
 
     def __call__(self, environ, start_response):
         self.__fixup(environ)
-        req = Request(environ)
-        resp = req.get_response(self.application)
-        if environ['wsgi.url_scheme'] == 'https':
-            resp.headers['Strict-Transport-Security'] = 'max-age=8640000; includeSubDomains'
-        return resp(environ, start_response)
+        debug = str2bool(self.config.get('debug'))
+        if str2bool(self.config.get('use_htsts')) and not debug:
+            req = Request(environ, self.application)
+            resp = req.get_response(self.application)
+            if environ['wsgi.url_scheme'] == 'https':
+                resp.headers['Strict-Transport-Security'] = \
+                    'max-age=8640000; includeSubDomains'
+            return resp(environ, start_response)
+
+        return self.application(environ, start_response)
 
     def __fixup(self, environ):
         """