X-HTTPS Header Not Sent For Subdomains

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
User avatar
Within The Pale
New to the forum
New to the forum
Posts: 2
Joined: 2022-12-06, 01:37

X-HTTPS Header Not Sent For Subdomains

Unread post by Within The Pale » 2022-12-06, 01:51

Operating system:
Browser version:
32-bit or 64-bit browser?:
Problem URL:
Browser theme (if not default):
Installed add-ons:
Installed plugins: (about:plugins):

I apologize if this is not the correct forum for this, but I could not find anywhere else that seemed appropriate.

This is an observation, not necessarily a bug or other issue, that has left me quite puzzled. I have been observing over the last few days that Pale Moon sends an "X-HTTPS: 1" header for base domains like "abc.com", but not for subdomains like "xyz.abc.com". This is not an order of request issue. I can request "xyz.abc.com" from a clean start and I do NOT see the "X-HTTPS: 1" header sent; but if I subsequently request "abc.com", I DO see the "X-HTTPS: 1" header sent. This is a puzzlement to me. It may be by deliberate design, but I am curious as to the reasons why, if so. Thanks in advance for any info.
Last edited by Moonchild on 2022-12-06, 07:02, edited 1 time in total.
Reason: Correct topic title
“If philanthropy is not voluntary, it destroys liberty and justice. The law can give nothing that has not first been taken from its owner.” -- Frederic Bastiat, The Law
“Now there’s no more [lofty] oak oppression, for they passed a noble law; and the trees are all kept equal by hatchet, axe, and saw.” -- Neil Peart, The Trees

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 33320
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: X-HTTP Header Not Sent For Subdomains

Unread post by Moonchild » 2022-12-06, 02:12

X-HTTPS is not a standard request header. It does seem some configurations of server front-ends add this header to pass to a back-end (e.g. using a reverse proxy) to explicitly indicate the initial connection to the server was made over https (as a back-end server might otherwise have no way to determine the inbound connection's TLS state if proxied) but that would be something that is done server-side.
"The best revenge is to not be like the person who wronged you." -- Marcus Aurelius
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb

User avatar
Within The Pale
New to the forum
New to the forum
Posts: 2
Joined: 2022-12-06, 01:37

Re: X-HTTP Header Not Sent For Subdomains

Unread post by Within The Pale » 2022-12-06, 02:20

Thank you! I appreciate the rapid response.

So the X-HTTPS header is not something that Pale Moon is sending, but rather something that certain servers are injecting into the request headers before they arrive at the back-end processor, like PHP. Still weird how apparently inconsistent it is but at least that is a server issue, and can be ignored.
“If philanthropy is not voluntary, it destroys liberty and justice. The law can give nothing that has not first been taken from its owner.” -- Frederic Bastiat, The Law
“Now there’s no more [lofty] oak oppression, for they passed a noble law; and the trees are all kept equal by hatchet, axe, and saw.” -- Neil Peart, The Trees

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 33320
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: X-HTTP Header Not Sent For Subdomains

Unread post by Moonchild » 2022-12-06, 04:39

Within The Pale wrote:
2022-12-06, 02:20
something that certain servers are injecting into the request headers before they arrive at the back-end processor, like PHP
Correct. So if PHP is sitting behind e.g. Apache, then Apache may be configured to pass on this header if the browser connection to Apache was made over https (since your PHP in that case might not be able to directly see the connection was https if the URL also does not retain that information or is not passed down). The inconsistency would be because of how Apache is configured in that case.
"The best revenge is to not be like the person who wronged you." -- Marcus Aurelius
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb

Post Reply