I too had a fully HTTPS enabled site since forever but then this warning started to be pushed at me every week. It took me a long time to find the time to really dig into what the setting does.
I’m assuming that @ljpp is, like I was, more interested in what the
force_https setting actually does rather than just knowing which magic checkbox to enable to make the noise go away.
My site has always had HTTP redirected to HTTPS so I could only assume that this setting is there to enable an HSTS header. After digging into the Discourse source code I confirmed that this is what it does and that it only affects the host name of the discourse site rather than the entire domain name.
Enabling the setting results in a header like this being included with every HTTPS response from the server:
strict-transport-security: max-age=31536000 (1 year)
I intentionally left the setting disabled until I could look at the source code because the setting isn’t documented and I was concerned that it might enable HSTS on my entire domain.
Interestingly this old Discourse PR fixed the very issue I was concerned about, although both it and this relevant stackexchange Q/A seem to interpret the HSTS spec incorrectly. If all user agents have incorrectly implemented the HSTS spec then there may have been nothing for me to worry about in the first place. I’ve recently posted a contradictory answer to stack exchange so it will be interesting to see if that triggers some authoritative confirmation of the situation from those that maintain and implement the spec.
In the mean time, I would say that if you’ve done all the usual checks to ensure your entire forum and all included content work fine over HTTPS then it is safe to enable this setting. I enabled it on my site a couple of months ago with no ill effects.