Log in Sign up
Deploy

Proxy & HTTPS

Correct scheme detection impacts cookie security and challenge flows. If you terminate TLS at a load balancer / reverse proxy, you must forward and trust the right headers.

Why it matters

  • The agent sets a passport cookie after challenge success.
  • Cookie uses Secure only when HTTPS is detected.
  • If HTTPS is misdetected, you can get challenge loops (cookie not persisted).

PHP agent (HTTPS detection)

The PHP agent uses a conservative heuristic: $_SERVER['HTTPS'] or SERVER_PORT == 443. On some proxies this may be incorrect unless your proxy forwards HTTPS state into the upstream.

Prefer terminating TLS on the web server where PHP runs, or ensure your proxy is configured to set HTTPS=on / correct port.

Node (Express trust proxy)

If behind a reverse proxy (Nginx, Cloudflare, ALB), enable trust proxy: 

import express from 'express';

const app = express();

// critical when TLS terminates at proxy
app.set('trust proxy', true);

// mount AuraGuardian middleware early

Python (ASGI proxy headers)

Your ASGI server must accept forwarded headers. For uvicorn: 

uvicorn app:app --proxy-headers --forwarded-allow-ips='*'

Cloudflare notes

  • PHP agent supports trusting CF-Connecting-IP only when cloudflare_cidrs is configured in rules.
  • Forwarded scheme/header config is still required for correct Secure cookie behavior.