What is a full specification of X-Forwarded-Proto HTTP header?
What is a full specification of X-Forwarded-Proto
HTTP header values?
There is no "full specification" -- it's a de facto standard. The X-
in front of a header name customarily* has denoted it as experimental/non-standard/vendor-specific. Once it's a standard part of HTTP, it'll lose the prefix.
There's some work from the IETF on standardizing it, but it's just at the draft stages, as far as i can tell. Check out https://datatracker.ietf.org/doc/html/draft-ietf-appsawg-http-forwarded-10 for the latest draft as of the time of this writing. But be aware that it can change at any time while it's being fleshed out, and don't rely on it in production stuff yet.
Update:
RFC 7239 now defines the Forwarded:
header, which is intended to replace X-Forwarded-*
. If you care about standards, i would recommend using that instead.
* This used to be an official thing, but no longer is. RFC 6648 deprecates the X-
prefixing convention. Unfortunately, the convention is so widely known (and the deprecation so low-key) that most people outside the IETF will probably ignore the recommendation.
There finally is RFC 7239 - Forwarded HTTP Extension from june 2014. The header is defined in section 5.4.
Some examples:
Forwarded: proto=https
Forwarded: for=1.2.3.4;proto=http
I just hope this won't take too much time to get widely adopted. An example of the diversity of headers because of standard lacking (from here):
-
X-Forwarded-Proto: https
(de facto standard) X-Forwarded-Protocol: https
X-Forwarded-Ssl: on
X-Url-Scheme: https
Front-End-Https: on
I'm not aware of a "full specification".
The IETF APPSArea Working Group recently decided to define a new header field "Forwarded" which is supposed to replace the "X-Forwarded-*" header fields that you mentioned.
See https://datatracker.ietf.org/doc/html/draft-ietf-appsawg-http-forwarded for details.