X-Forwarded-Proto Inspect

What does this tool do?

Split X-Forwarded-Proto and X-Forwarded-Host and display scheme/host hints for debugging.

Useful for diagnosing “https detected as http”, redirect loops, and broken URL generation.

X-Forwarded-Proto basics

• X-Forwarded-Proto hints the original scheme (http/https).
• Used for apps behind TLS-terminating load balancers to detect https.
• X-Forwarded-Host hints the original host.

Syntax (how to read)

It may be a single value or a comma-separated list (multi-proxy).

• X-Forwarded-Proto: https
• X-Forwarded-Proto: https, http
• X-Forwarded-Host: example.com

Examples (common patterns)

• TLS termination at LB: X-Forwarded-Proto: https allows the app to detect https
• Multiple proxies: X-Forwarded-Proto becomes multi-valued; selection becomes important
• Host rewrite: unexpected X-Forwarded-Host breaks redirects/URL generation

Glossary (terms used on this page)

• Scheme: protocol such as http/https.
• TLS termination: HTTPS ends at a load balancer.
• Redirect loop: infinite redirects due to scheme mismatch.

Why it helps (scheme mismatches)

Behind proxies, the scheme/host seen by the app can differ from what the user sees. X-Forwarded-Proto/Host bridge that gap.

• HTTPS detected as http → X-Forwarded-Proto missing/overwritten
• Redirect loops → scheme mismatch
• Host mismatch → check X-Forwarded-Host

Which value to use? (trust boundary)

When multiple values appear, choosing purely by position is risky. The standard approach is to only trust the value set/overwritten by your trusted edge proxy.

• Configure trusted proxy count/ranges in your app to decide the “real scheme”
• Cross-check with Forwarded: proto to detect contradictions

Common pitfalls

• App ignores X-Forwarded-Proto (missing trusted proxy config)
• Multiple proxies overwrite or disagree on values
• X-Forwarded-Host has multiple values but app doesn’t handle order

Security notes (trust boundaries)

These headers are spoofable by clients; only trust values set by trusted proxies.

Debugging workflow (recommended)

• Extract X-Forwarded-Proto / Host via Request Headers Parser
• Split values here and check order
• Check consistency with Forwarded (proto/host)

How to test (measure)

X-Forwarded-Proto/Host are usually added between intermediaries and your app, so browsers may not show them. App/LB/CDN logs are more reliable.

• If not visible in DevTools: it may exist upstream but not reach the browser
• Compare app logs (chosen scheme/host) with raw header values

Troubleshooting checklist by symptom

• Redirect loop: scheme mismatch (X-Forwarded-Proto / Forwarded: proto / trusted proxy config)
• Always http: check TLS termination point, whether X-Forwarded-Proto is set, and if it’s overwritten
• Broken URL generation: X-Forwarded-Host/Host, proxy-trust config, and multi-value handling

Related tools

• Forwarded Inspect
• X-Forwarded-For Inspect
• Via Inspect
• Request Headers Parser

What this tool does

• Split X-Forwarded-Proto / X-Forwarded-Host into lists
• Show order of multiple values
• Extract relevant lines from full headers

Operational notes

• Intermediaries may rewrite headers. Compare captures from equivalent points.
• Confirm final decisions with server logs and configuration such as trusted proxy and routing.

Referenced specs

• RFC 9110 (HTTP Semantics)
• MDN: X-Forwarded-Proto / X-Forwarded-Host

FAQ

References

1. RFC 9110
2. MDN: X-Forwarded-Proto
3. MDN: X-Forwarded-Host
4. MDN: Proxy servers and tunneling

Next to view (diagnostic order)

These links are generated from site_map rules in recommended diagnostic order.

1. X-Forwarded-For Inspect — Parse X-Forwarded-For/X-Real-IP to inspect client chain
2. Forwarded Inspect — Parse Forwarded to inspect forwarding path data
3. Via Inspect — Parse Via to inspect intermediary proxy path