diff --git a/.pa11yci b/.pa11yci
index a34b50645..51cc60d3f 100644
--- a/.pa11yci
+++ b/.pa11yci
@@ -2,6 +2,7 @@
   "defaults": {
     "standard": "WCAG2AA",
     "runners": ["axe"],
+    "concurrency": 1,
     "hideElements": [
       "nav > ol a",
       "#sms-pricing-details",
diff --git a/Makefile b/Makefile
index 08696b6d2..f77aa4c8d 100644
--- a/Makefile
+++ b/Makefile
@@ -27,6 +27,10 @@ watch-frontend:  ## Build frontend and watch for changes
 run-flask:  ## Run flask
 	pipenv run newrelic-admin run-program flask run -p 6012 --host=0.0.0.0
 
+.PHONY: run-flask-bare
+run-flask-bare:  ## Run flask without invoking pipenv so we can override ENV variables in .env
+	flask run -p 6012 --host=0.0.0.0
+
 .PHONY: npm-audit
 npm-audit:  ## Check for vulnerabilities in NPM packages
 	source $(NVMSH) && npm run audit
diff --git a/app/__init__.py b/app/__init__.py
index d6fda1ddf..062f5b892 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -247,7 +247,8 @@ def create_app(application):
         application,
         content_security_policy=_csp(application.config),
         content_security_policy_nonce_in=['style-src', 'script-src'],
-        frame_options='deny'
+        frame_options='deny',
+        force_https=(application.config['HTTP_PROTOCOL'] == 'https')
     )
     logging.init_app(application)
     webauthn_server.init_app(application)
diff --git a/app/config.py b/app/config.py
index 9e3640ed5..f8aabb269 100644
--- a/app/config.py
+++ b/app/config.py
@@ -154,7 +154,7 @@ class Sandbox(Staging):
 class Scanning(Production):
     BASIC_AUTH_FORCE = False
     HTTP_PROTOCOL = 'http'
-    API_HOST_NAME = 'https://notify-api-demo.app.cloud.gov/'
+    API_HOST_NAME = 'https://notify-api-staging.app.cloud.gov/'
     SECRET_KEY = 'dev-notify-secret-key'  # nosec B105 - only used in development
     ADMIN_CLIENT_USER_NAME = 'notify-admin'
     ADMIN_CLIENT_SECRET = 'dev-notify-secret-key'  # nosec B105 - only used in development