Symfony get HTTP_X_FORWARDED_PROTO in controller

It’s often the case that people that use Cloudflare use the SSL option of cloudflare that secures the connection from the client to Cloudflare, but not from Cloudflare to the actual hosting server. In this case people might get the impression that the user is accessing the site from https but actually the hosting server is accessed with http and Symfony’s $request->isSecure() returns false.

If you as a developer want to see if the user has https in front of the url you can use:

$request->server->get('HTTP_X_FORWARDED_PROTO')

If the user’s connection from browser to Cloudflare is secured it will return https.

In short, this solves the problem if $request->isSecure() looks like it’s not working together with Cloudflare or when you have a load balancer in front of your website. The true is that it actually works correctly and we simply forget that the connection from Cloudflare or loadbalancer to the actual hosting server is not secured.

Leave a Reply

Your email address will not be published. Required fields are marked *