Should `HTTPSRedirectMiddleware` take `x-forwarded-proto: "https",` into consideration? #3197

stdedos · 2026-03-20T17:46:18Z

stdedos
Mar 20, 2026

As an "always-worrying" user (and one trying to put multiple safeguards on stuff), I noticed that, even though "everything works" when I use HTTPSRedirectMiddleware locally, when I deploy the Docker image to a service that handles SSL termination (e.g. Azure Container Apps) - it seems that the HTTPSRedirectMiddleware drives the browser into a redirect loop.

The browser does go via HTTPS (and the service handles certificates etc.), but Starlette/FastAPI sees the plain HTTP traffic after TLS termination.

However, the headers correctly show X-Forwarded-Proto: https (among others).

Is this something that HTTPSRedirectMiddleware should take into account?

Answered by MukundaKatta

Apr 21, 2026

Classic TLS-terminating-proxy setup. The redirect loop comes from scope["scheme"] being http inside the container even though the client arrived over HTTPS. Fix is to normalize the ASGI scope before HTTPSRedirectMiddleware runs: uvicorn app:app --proxy-headers --forwarded-allow-ips '*' (or a specific CIDR), or wrap manually with ProxyHeadersMiddleware from uvicorn.middleware.proxy_headers. Folding x-forwarded-proto handling directly into HTTPSRedirectMiddleware would force trusted-proxy config into every header-aware middleware, fixing it once at the edge is cleaner.

View full answer

cookesan · 2026-04-21T15:54:09Z

cookesan
Apr 21, 2026

I would not make HTTPSRedirectMiddleware trust X-Forwarded-Proto directly. That header is only meaningful after you have decided which proxy is trusted.

Starlette's middleware checks the ASGI scope["scheme"]. Behind TLS termination, the usual fix is to normalize the ASGI scope before HTTPSRedirectMiddleware runs, for example with Uvicorn proxy-header support configured for the correct trusted proxy IPs.

So the middleware order/config should be:

trusted proxy headers turn X-Forwarded-Proto: https into scope["scheme"] == "https"
HTTPSRedirectMiddleware sees the normalized scheme and does not redirect

If the app sees scope["scheme"] == "http" after TLS termination, Starlette is doing what it was told by the ASGI server. The proxy/header layer needs to be fixed first.

0 replies

MukundaKatta · 2026-04-21T17:30:18Z

MukundaKatta
Apr 21, 2026

Classic TLS-terminating-proxy setup. The redirect loop comes from scope["scheme"] being http inside the container even though the client arrived over HTTPS. Fix is to normalize the ASGI scope before HTTPSRedirectMiddleware runs: uvicorn app:app --proxy-headers --forwarded-allow-ips '*' (or a specific CIDR), or wrap manually with ProxyHeadersMiddleware from uvicorn.middleware.proxy_headers. Folding x-forwarded-proto handling directly into HTTPSRedirectMiddleware would force trusted-proxy config into every header-aware middleware, fixing it once at the edge is cleaner.

1 reply

stdedos Apr 22, 2026
Author

Aaah right!! --proxy-headers --forwarded-allow-ips '*' did the work!

For some reason, my forwarder was not in the 127.0.0.1 default - but I had assumed it was.

Thank you 😊

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Should `HTTPSRedirectMiddleware` take `x-forwarded-proto: "https",` into consideration? #3197

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Should HTTPSRedirectMiddleware take x-forwarded-proto: "https", into consideration? #3197

Uh oh!

stdedos Mar 20, 2026

Replies: 2 comments · 1 reply

Uh oh!

cookesan Apr 21, 2026

Uh oh!

Uh oh!

MukundaKatta Apr 21, 2026

Uh oh!

stdedos Apr 22, 2026 Author

Should `HTTPSRedirectMiddleware` take `x-forwarded-proto: "https",` into consideration? #3197

stdedos
Mar 20, 2026

Replies: 2 comments 1 reply

cookesan
Apr 21, 2026

MukundaKatta
Apr 21, 2026

stdedos Apr 22, 2026
Author