Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Feature request: configurable header name for x-forwarded-proto

See original GitHub issue


Would it be possible to make the exact header-name checked for in line 640 of index.js to be a config option instead of hard coded to “x-forwarded-proto” please ?


The reason I ask is that we have a deployment situation where there are 2 AWS load balancers sequentially reverse proxying before the express code is requested, and the 2nd one unfortunately overwrites the x-forwarded-proto set by the 1st (which has the value we want).

In other applications we’ve been able to write the 1st LB’s x-forwarded-proto into another header so it’s visible downstream, and then look at the other header. Unfortunately without forking and modifying express-session’s source, we can’t find a way to trick express-session’s issecure() method into looking at that other named header, so all secure cookies are dropped.

I’m happy to fork and maintain a clone if its the only way, but I just thought I’d ask: if it’s possible to take the header name to use instead of x-forwarded-proto as an option in the session constructor that could be overridden or a custom getXForwardedProtoHeaderValue() function be supplied it would make that unnecessary.

Happy to write a patch if it would help and submit, just wanting to sound out whether it’s an option or not. Thank you,

Rick Knowles

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

dougwilsoncommented, Feb 2, 2022

Object.defineProperty(app.request, 'secure', {
  configurable: true,
  enumerable: true,
  get: function () { return getXForwardedProtoHeaderValue() === 'https' }
rickknowles-cognitantcommented, Feb 2, 2022

thank you - v helpful

Read more comments on GitHub >

github_iconTop Results From Across the Web

X-Forwarded-Proto - HTTP - MDN Web Docs
The X-Forwarded-Proto (XFP) header is a de-facto standard header for identifying the protocol (HTTP or HTTPS) that a client used to connect ...
Read more >
HTTP headers and Classic Load Balancers
Learn about the X-Forwarded request headers for Elastic Load Balancing. ... Header fields are colon-separated name-value pairs that are separated by a ...
Read more >
Crash when adding request header x-forwarded-proto #680
Describe the bug I am trying to set the x-forwarded-proto header to the upstream server using add_request_headers config.
Read more >
HTTP header manipulation - Envoy Proxy
Envoy will always set the :scheme header while processing a request. ... 2) From the value of the x-forwarded-proto header after sanitization (to...
Read more >
Request and Response Transforms
The proxy request will default to the host name specified in the destination ... the request's original scheme (http/https) to the X-Forwarded-Proto header....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found