diff --git a/cmd/godoc/app.prod.yaml b/cmd/godoc/app.prod.yaml
index 832db0970..315c3dbc8 100644
--- a/cmd/godoc/app.prod.yaml
+++ b/cmd/godoc/app.prod.yaml
@@ -3,7 +3,7 @@ env: flex
 
 env_variables:
   GODOC_PROD: true
-  #  GODOC_ENFORCE_HOSTS: true # TODO(cbro): modify host filter to allow version-specific URLs (see issue 27205).
+  GODOC_ENFORCE_HOSTS: true
   GODOC_REDIS_ADDR: 10.0.0.4:6379 # instance "gophercache"
   GODOC_ANALYTICS: UA-11222381-2
   DATASTORE_PROJECT_ID: golang-org
diff --git a/cmd/godoc/handlers.go b/cmd/godoc/handlers.go
index 4152a3eee..fabb67977 100644
--- a/cmd/godoc/handlers.go
+++ b/cmd/godoc/handlers.go
@@ -44,7 +44,7 @@ func (h hostEnforcerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.h.ServeHTTP(w, r)
 		return
 	}
-	if r.TLS == nil || !h.validHost(r.Host) {
+	if !h.isHTTPS(r) || !h.validHost(r.Host) {
 		r.URL.Scheme = "https"
 		if h.validHost(r.Host) {
 			r.URL.Host = r.Host
@@ -58,9 +58,17 @@ func (h hostEnforcerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	h.h.ServeHTTP(w, r)
 }
 
+func (h hostEnforcerHandler) isHTTPS(r *http.Request) bool {
+	return r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
+}
+
 func (h hostEnforcerHandler) validHost(host string) bool {
 	switch strings.ToLower(host) {
-	case "golang.org", "godoc-test.golang.org", "golang.google.cn":
+	case "golang.org", "golang.google.cn":
+		return true
+	}
+	if strings.HasSuffix(host, "-dot-golang-org.appspot.com") {
+		// staging/test
 		return true
 	}
 	return false