Front-end proxy headers spoofed by clients

If front-end proxy does not strip client-supplied secure headers (X-Forwarded-Proto, X-Forwarded-SSL, etc.), clients can bypass HTTPS detection and forge scheme information, breaking security assumptions in wsgi.url_scheme.

Configure front-end proxy (nginx, haproxy, etc.) to strip all headers listed in secure_scheme_headers from client requests before forwarding. Verify forwarded_allow_ips restricts header trust to known proxy IPs only. Never set forwarded_allow_ips to '*' unless other security controls prevent client access.