Does Fly proxy strip X-Forwarded-Proto header from incoming requests?

Hi all,

I’m using fly to deploy Django webapps with these browser security settings on.

These settings will not work without passing in the X-Forwarded-Proto header in deployment settings:

Django docs advise that this is a possibly unsafe setting since end users can spoof the header in a non-secure (http) request unless the webserver is configured to strip the X-Forwarded-Proto header from all incoming requests. Does the Fly proxy do this?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.