You can clone with
HTTPS or Subversion.
Here's the line where you parse x-forwarded-proto: https://github.com/senchalabs/connect/blob/master/lib/middleware/session.js#L252
Basically, you check that it equals "https". However, if the request needs to go through multiple proxies it's common practice to append the protocols as you go through proxies, e.g. "https,http". This is what node-http-proxy does: https://github.com/nodejitsu/node-http-proxy/blob/master/lib/node-http-proxy/http-proxy.js#L154
You can also see this behavior listed in Wikipedia for, at least, X-Forwarded-For: http://en.wikipedia.org/wiki/X-Forwarded-For#Format
So you should probably split on comma and check that the first element in the resulting array is 'https' instead
that's mentioning X-Forwarded-For only, I've never seen this outside of node-http-proxy, but the split certainly wouldn't hurt
Fixes #733 - parse x-forwarded-proto in a more generally compatibly way