Mixed Content error: HTTP vs. HTTPS
I have a Railway/React/Vite frontend accessing a Railway/Fastapi backend, and my frontend receives the following error:
Mixed Content: The page at 'https://domain' was loaded over HTTPS, but requested an insecure resource 'http://domain'. This request has been blocked; the content must be served over HTTPS.
The URL does indicate https, but it seems Railway is trying to serve it on HTTP, which is rejected by the browser.
Strangely, it seems to only occur on the first request to the backend. Clicking to another page and returning, no longer an error.
I have been looking to see if I can change a Railway setting to force HTTPS. I do see under settings Railway explicitly mentions that I can acess my app over HTTP (see image) but this is not what I want. Project ID: ac828fce-6f54-43e9-825c-ac4871d226ba
Strangely, it seems to only occur on the first request to the backend. Clicking to another page and returning, no longer an error.
I have been looking to see if I can change a Railway setting to force HTTPS. I do see under settings Railway explicitly mentions that I can acess my app over HTTP (see image) but this is not what I want. Project ID: ac828fce-6f54-43e9-825c-ac4871d226ba
34 Replies
Project ID:
ac828fce-6f54-43e9-825c-ac4871d226barailway is not requesting something over http, this is your app doing that, since railway runs your code as is
please share the frontends repo
my app uses this url (with https) as the base url and appends the api endpoint to each call, so it always asks for https. i don't have any references to 'http:' in my app
prepend*
yes, prepends
send me the frontends domain please
utilitygpt-stage.up.railway.app
in clickable form please
and send your package.json
as a file
that's staging. prod is here: https://utly.ai/
not that it's causing this problem, but you are serving an spa app without putting serve into spa mode
thanks- will take a look
the start command you want is
serve -s -n -L -p $PORT
i dont see any http requests?it tends to be intermittent. you can see below this 307 error. it's requesting the resource at HTTP vs. HTTPS
the 307 is a redirect code, your frontend is fine, your backend is sending the redirect to a non https location
so this is a code issue with the backend
my backend code has no reference to http. i just start it with uvicorn
some kind of middleware or something, this is a code issue
I assure you, railway is not sending the 307, your app is
what's strange is it is intermittent. if i refresh the page, it goes away. sometimes i can just hit the page and the issue isn't there. our only middleware is cors and logging
I see that it is a redirect to a location without a trailing slash
the request has a trailing slash, and the redirect location does not
but why does the redirect send to http?
you haven't trusted the proxy's headers so your app thinks it's being requested over http, therefore it redirects to http as well
we haven't setup a proxy in our frontend deployment. is this recommended, and if so, are there railway guidelines for this?
regarding the trailing slash, this is the way that route is setup:
(with the trailing slash)
I'm talking about railways proxy
you make a request via https to railways proxy, railways proxy forwards that request to your app via http, it attaches an
X-Forwarded-Proto header that's equal to https, so that if needed your app would know what the original users request was made with, but you haven't trusted that header, so your app still thinks the request was done with httpok. i believe there's a uvicorn command to trust the reverse proxy
sounds about right
let me try that...
sounds good
tried updating the dockerfile's uvicorn command, but issue is still intermittently there. fyi did this:
do i need to add a specific host to trust railway's reverse proxy?
that would be a question for uvicorn's documentation
i'll try this via fastapi