Product
API Client

A lightweight and secure API Client for faster API Development & Testing

HTTP Interceptor

A Powerful HTTP Interceptor to Intercept, Record, Debug & Modify HTTP Requests

API Mocking

Build frontend faster without waiting for backend.

Use Case
Frontend Web/Mobile Developers

Requestly improves front-end workflows with local JS testing, mocking, and SessionBook debugging.

For QA engineers

QA engineers love Requestly for its features and ease of use, allowing easy edge case testing.

Support Engineer

Support engineers value Requestly for debugging, demoing, and overriding GTM and Adobe scripts.

Backend Developers

Requestly helps in improving back-end development workflows, by enabling testing.

Requestly vs Postman
Resources
Pricing
Blog
Case Studies
Status
Github
Release Note
Student Programme

📣 Requestly API Client – Free Forever & Open Source. A powerful alternative to Postman. Try now ->

Understanding the X-Forwarded-Proto Header: Purpose, Use Cases, and Security

Rashmi Saini
December 12, 2025
6MIN READ
Learn how the X-Forwarded-Proto header preserves client protocol info in proxy environments, its role in HTTPS handling, and best practices for secure implementation.

Your lightweight Client for API debugging

No Login Required

Get Requestly

The X-Forwarded-Proto header indicates whether a client’s request was made using HTTP or HTTPS, helping servers identify the original protocol when traffic passes through proxies or load balancers. It ensures proper redirects, secure sessions, and accurate handling of mixed-protocol environments.

This article explores how the X-Forwarded-Proto header works, why it’s essential for applications behind proxies, and how to configure and test it effectively.

What is the X-Forwarded-Proto Header?

The X-Forwarded-Proto header is a de-facto standard HTTP header used to identify the protocol (HTTP or HTTPS) that a client originally used to connect to a server through a proxy, load balancer, or reverse proxy. When a client request passes through intermediaries, the server typically only sees the protocol used between the proxy and itself, losing visibility into the original protocol.

The X-Forwarded-Proto header preserves this information by being set by the proxy with values like http or https, enabling the backend server to make accurate decisions about redirects, secure cookies, and URL generation. Although not part of an official RFC, it is widely supported across platforms like AWS, Cloudflare, and Nginx, with the standardized Forwarded header serving as its modern alternative.

How the X-Forwarded-Proto Header Works

The X-Forwarded-Proto header works by preserving the original protocol (HTTP or HTTPS) used by a client when connecting through proxies, load balancers, or reverse proxies. Here’s how it functions:

  • When a client sends a request to a server via a proxy or load balancer, the intermediary adds the X-Forwarded-Proto header to indicate the protocol used in the original request.
  • For example, if a user accesses a site over HTTPS, the proxy sets the header as:
  • X-Forwarded-Proto: https.
  • This allows the backend server to correctly identify the client’s intended protocol, even if the connection between the proxy and server uses HTTP.
  • The header is especially important in scenarios involving SSL/TLS termination at the proxy level, where encryption is handled externally, and the internal network communicates over HTTP.
  • Common non-standard variations include:
  • Front-End-Https: on (Microsoft)
  • X-Forwarded-Ssl: on
  • X-Url-Scheme: https.
  • The standardized alternative is the Forwarded header defined in RFC 7239, though X-Forwarded-Proto remains more widely adopted.

This mechanism ensures accurate handling of secure redirects, cookie policies, and URL generation in proxied

Common Use Cases

The X-Forwarded-Proto header is used in various real-world scenarios to ensure applications behave correctly when deployed behind proxies, load balancers, or CDNs. Here are the most common use cases:

  • Redirecting HTTP to HTTPS: Applications use the header to detect if the original request was over HTTP and redirect users to the secure HTTPS version, ensuring consistent secure access.
  • Enforcing secure cookies and sessions: Backend systems check the X-Forwarded-Proto: https value to determine whether to set secure-only cookies, preventing transmission over insecure connections.
  • Generating correct absolute URLs: Web frameworks and APIs use the header to build accurate redirect URLs, password reset links, or API endpoints that reflect the original protocol used by the client.
  • Handling mixed content issues: By identifying the original protocol, servers can ensure that assets like scripts, stylesheets, and images are served over HTTPS when the page is loaded securely, avoiding browser warnings.
  • SSL/TLS termination at load balancers: In architectures where HTTPS is terminated at the proxy (e.g., AWS ELB, Cloudflare), the backend server relies on this header to know the client used HTTPS, even though the internal communication is over HTTP.
  • Access control and logging: Some applications log the X-Forwarded-Proto value to monitor traffic patterns or enforce policies based on connection security, such as allowing certain endpoints only over HTTPS.

requestly

Security Risks Related to X-Forwarded-Proto

The X-Forwarded-Proto header introduces several security risks if not properly validated and secured:

  • Header spoofing and protocol bypass: Since the header is not authenticated, attackers can forge it to make the backend believe a request was made over HTTPS when it was actually sent over HTTP. This can bypass security checks that rely on X-Forwarded-Proto: https, potentially exposing sensitive operations meant only for secure connections.
  • Insecure redirects and mixed content: If applications blindly trust the header, attackers can manipulate it to force HTTPS redirects to malicious domains or inject insecure resources into otherwise secure pages, leading to mixed content warnings or phishing attacks.
  • Access control bypass: Some applications use the header to enforce access policies (e.g., allowing admin access only over HTTPS). A forged header can trick the system into granting access based on a false protocol claim.
  • Denial-of-service via malformed headers: Extremely long or malformed X-Forwarded-Proto values can cause buffer overflows or parsing errors in poorly implemented servers, leading to crashes or memory exhaustion.
  • HTTP header injection vulnerabilities: In some cases, improper handling of the header has led to HTTP header injection, allowing attackers to insert malicious headers or manipulate application behavior.

To mitigate these risks, servers should only trust X-Forwarded-Proto when it originates from known, trusted proxies, and all external input should be filtered at the network or reverse proxy level

Best Practices for using X-Forwarded-Proto Header

Here are the best practices for securely and effectively using the X-Forwarded-Proto header:

  • Only trust headers from known proxies: Never assume the X-Forwarded-Proto value is accurate unless it originates from a trusted reverse proxy, load balancer, or CDN. Untrusted clients can spoof this header to bypass security checks.
  • Validate and sanitize header input: Implement server-side logic to verify that the header contains only expected values (http or https) and reject malformed or unexpected inputs to prevent injection attacks or parsing errors.
  • Use standardized alternatives when possible: Prefer the Forwarded header (defined in RFC 7239) over X-Forwarded-Proto, as it provides a more secure and standardized format with better support for multiple hops and authentication.
  • Enforce protocol handling at the proxy level: Configure your reverse proxy (e.g., Nginx, AWS ALB, Cloudflare) to set or override the X-Forwarded-Proto header, ensuring consistency and preventing client-side manipulation.
  • Implement fallback mechanisms: If the header cannot be trusted, rely on direct connection inspection (e.g., server TLS state) to determine the protocol, rather than blindly following the header value.
  • Avoid using it for critical security decisions: Do not base access control, authentication, or session security solely on X-Forwarded-Proto. Instead, use it as a supplementary signal alongside other secure mechanisms.

Debugging and Testing X-Forwarded-Proto with Requestly

Requestly by BrowserStack is an open-source HTTP interceptor and API testing tool available as a browser extension and desktop application, designed to help developers and QA engineers debug, modify, and mock network requests in real time.

Requestly allows developers to simulate how applications behave when running behind reverse proxies or load balancers. Since the X-Forwarded-Proto header is typically set by infrastructure components (like Nginx or AWS ALB), replicating its behavior during local development can be challenging.

Requestly solves this by letting users inject or modify the X-Forwarded-Proto header directly in the browser, enabling accurate testing of HTTPS redirects, secure cookie logic, and protocol-based access controls without requiring backend changes or staging environment access.

Key benefits include:

  • No proxy setup: Works natively in Chrome, Firefox, and Edge using browser APIs.
  • Real-time header modification: Easily add, edit, or remove X-Forwarded-Proto to test different protocol scenarios.
  • Cross-environment consistency: Share rules across teams to ensure uniform testing conditions.
  • Secure and isolated: Only affects traffic in the installed browser, with no impact on system-wide network settings.


Try Requestly Now

 

By using Requestly, developers can confidently validate their application’s handling of proxied HTTPS traffic long before deployment, reducing bugs and improving security

Conclusion

The X-Forwarded-Proto header is crucial for enabling secure and accurate protocol detection in modern web environments that use proxies and load balancers. When implemented with the right best practices, it helps ensure proper redirects, secure cookie handling, and safe content delivery.

However, servers should only trust this header from known intermediaries to prevent spoofing and related security risks. By combining careful validation with effective testing tools like Requestly, teams can reliably support protocol-sensitive logic across all stages of their application’s lifecycle.

Written by
Rashmi Saini

Related posts

Understanding X-Forwarded-Host: Security Risks and Safe Implementation
Learn how the X-Forwarded-Host header can introduce security risks like host injection and cache poisoning, and discover best practices for secure, reliable use in web applications.
Rashmi Saini
December 12, 2025
Unsafe-Inline in CSP: Why is it a Risk and How to Fix it
Discover why ‘unsafe-inline’ in Content Security Policy compromises web security and explore secure alternatives to build robust defenses.
Rashmi Saini
December 12, 2025
The Developer’s Swiss Army Knife: HTTP Interception, Mocking, and Testing in One Tool
A unified, lightweight tool that replaces API mocking, interception, and testing—cutting context switching so developers stay in flow and ship faster.
Sohail Saifi
December 11, 2025