Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CTFd doesn't handle URL protocol properly (mixing HTTP with HTTPS)

See original GitHub issue


  • CTFd Version/Commit: b7a19f7
  • Operating System: Alpine 3.9.3
  • Running CTFd with tghosth/CTFd-docker-deploy behind a TLS-terminating Nginx.
  • Reverse proxy properly returns the host, original IP, and the requested protocol via X-Forwarded-Proto.
  • Web Browser and Version: Chrome 73

What happened? While running under HTTPS, several areas in CTFd return and redirect to http:// when they should be https://. I encountered this behaviour in the following areas:

  • All redirects caused by accessing an area that requires authentication without being authenticated. (e.g. https://ctfdomain.example/user -> http://ctfdomain.example/login)
  • All redirects resulting from actions processed by the server. (e.g. the redirect that happens after importing a backup)
  • All redirects performed in a custom plugin I’m writing using Flask Dance (it’s for Okta authentication). I realise this will be difficult to reproduce, so I’m listing here it at last. Hopefully this shares the same root cause as the other two as it’s my biggest pain point.

What did you expect to happen? Everything should be HTTPS.

How to reproduce your issue

A. Backup import:

  1. Import a backup.
  2. Wait until a redirect to HTTP happens.

I reproduced it on CTFd’s own


B. Auth redirect:

  1. curl -I https://ctfdomain.example/user
  2. Notice the returned Location: header pointing to http://. is authed all the time, so I can’t repro there, but this screenshot is from a publicly available CTF found in the first page of Googling for “Powered by CTFd”.


Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

adiovcommented, May 10, 2019

While trying to isolate the issue to make more portable reproduction steps, I have noticed that I had wsgi.url_scheme=http set because a month ago I was having the opposite problem during testing. I have now set it to https and everything is working as expected. Thanks for the help, Kevin 😃

ColdHeatcommented, May 10, 2019

Running the following for the debug server:

export REVERSE_PROXY=true

The curl command shows an https response meaning the header was respected.

❯ curl -H "X-Forwarded-Proto: https" -I http://localhost:4000/user
HTTP/1.0 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 251
Location: https://localhost:4000/login?next=%2Fuser%3F
Set-Cookie: session=9338ee0e-511d-4f2f-b45b-aaeada9fcefd; HttpOnly; Path=/; SameSite=Lax
Server: Werkzeug/0.15.2 Python/2.7.15
Date: Fri, 10 May 2019 06:03:21 GMT

The same with a docker-compose modified for REVERSE_PROXY=true:

❯ curl -H "X-Forwarded-Proto: https" -I http://localhost:8000/user
HTTP/1.1 302 FOUND
Server: gunicorn/19.9.0
Date: Fri, 10 May 2019 06:07:10 GMT
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Content-Length: 219
Location: https://localhost:8000/setup

I recognize that this is a pretty low effort test but it’s late in my timezone 😄

I’ll re-open this issue for a bit. If you can isolate out what the issue is it’d be useful to know.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to Find and Fix Mixed Content Warnings on HTTPS Sites
According to Google, mixed content occurs when HTML on a website loads over a secure HTTPS connection (thanks to a recently installed SSL ......
Read more >
How to Find & Fix Mixed Content Issues with SSL / HTTPS
1. There is a great tool called Database Search and Replace, built by Interconnected/IT. As the name implies, it allows you to do...
Read more >
W3C XML Schema Definition Language (XSD) 1.1 Part 1
This specification defines several attributes for direct use in any XML documents, as described in Schema-Related Markup in Documents Being ...
Read more >
External Guidance on the implementation of Policy 0070
Send a question via our website ... Information that EMA does not consider CCI .
Read more >
Critical Issues Addressed in PAN-OS Releases
Bugs Affected Platform(if any). /Affected Version Description (release note) PAN‑92564 8.0.0‑8.0‑8, 8.1.0 PAN‑86882 8.0.0‑8.0.7. and all older Mainlines PAN‑81990 PA‑5220,PA‑5250. /. 8.0.4 Multiple DP restarts by...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found