Does Fly proxy strip X-Forwarded-Proto header from incoming requests?

freeadria · February 1, 2024, 7:18am

Hi all,

I’m using fly to deploy Django webapps with these browser security settings on.
SECURE_HSTS_SECONDS = 3600
SECURE_HSTS_INCLUDE_SUBDOMAINS = True

These settings will not work without passing in the X-Forwarded-Proto header in deployment settings:
SECURE_PROXY_SSL_HEADER = (“HTTP_X_FORWARDED_PROTO”, “https”)

Django docs advise that this is a possibly unsafe setting since end users can spoof the header in a non-secure (http) request unless the webserver is configured to strip the X-Forwarded-Proto header from all incoming requests. Does the Fly proxy do this?

system · February 8, 2024, 7:18am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Proxy protocol header not sent. Questions / Help	19	922	May 10, 2022
Setting HTTP response headers on Fly proxy breaks deployment Build debugging wishlist , flyctl , proxy	6	385	April 19, 2024
POST request turned into GET requests Questions / Help	7	906	January 7, 2024
Fly Proxy H/2 Details Questions / Help	2	846	March 22, 2022
Why are clients allowed to spoof the X-Forwarded-Port header? Questions / Help	2	561	December 1, 2021

Does Fly proxy strip X-Forwarded-Proto header from incoming requests?

Related Topics