Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


connect session.js parses x-forwarded-proto wrong #733

azylman opened this Issue · 1 comment

2 participants

Alex Zylman TJ Holowaychuk
Alex Zylman

Here's the line where you parse x-forwarded-proto:

Basically, you check that it equals "https". However, if the request needs to go through multiple proxies it's common practice to append the protocols as you go through proxies, e.g. "https,http". This is what node-http-proxy does:

You can also see this behavior listed in Wikipedia for, at least, X-Forwarded-For:

So you should probably split on comma and check that the first element in the resulting array is 'https' instead

TJ Holowaychuk
tj commented

that's mentioning X-Forwarded-For only, I've never seen this outside of node-http-proxy, but the split certainly wouldn't hurt

TJ Holowaychuk tj closed this in 7bcf285
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.