Proxy SSL header misconfiguration breaks secure cookie detection
warningconfigurationUpdated Mar 2, 2026(via Exa)
Technologies:
How to detect:
When Django runs behind a TLS-terminating proxy/load balancer, SECURE_PROXY_SSL_HEADER is not configured. Django incorrectly detects requests as insecure, breaking SECURE_SSL_REDIRECT and secure cookie flags.
Recommended action:
Configure Django to recognize proxy headers: SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") and USE_X_FORWARDED_HOST = True. Verify proxy forwards X-Forwarded-Proto header. Test that request.is_secure() returns True for proxied HTTPS requests.