From af3f04a23fba1691c4af265ff88451ccbbc8c1a1 Mon Sep 17 00:00:00 2001
From: Samir Boulahtit <samir.boulahtit@wizard.lu>
Date: Thu, 12 Feb 2026 23:51:29 +0100
Subject: [PATCH] fix(deploy): add ProxyHeadersMiddleware for HTTPS behind
 Caddy

Caddy proxies HTTPS requests to FastAPI as HTTP on localhost:8001.
Without ProxyHeadersMiddleware, request.scheme stays "http" and
url_for() generates http:// URLs, causing mixed content blocking.

The middleware reads X-Forwarded-Proto from Caddy and sets the
correct scheme so all generated URLs use https://.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 main.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/main.py b/main.py
index 68a31d5a..d8b80598 100644
--- a/main.py
+++ b/main.py
@@ -26,6 +26,7 @@ from fastapi import Depends, FastAPI, HTTPException, Request, Response
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import FileResponse, HTMLResponse, RedirectResponse
 from fastapi.staticfiles import StaticFiles
+from uvicorn.middleware.proxy_headers import ProxyHeadersMiddleware
 from sentry_sdk.integrations.fastapi import FastApiIntegration
 from sentry_sdk.integrations.sqlalchemy import SqlalchemyIntegration
 from sqlalchemy import text
@@ -119,6 +120,7 @@ app.add_middleware(
 # So we add them in REVERSE order of desired execution:
 #
 # Desired execution order:
+#   0. ProxyHeadersMiddleware     (trust X-Forwarded-Proto from Caddy)
 #   1. PlatformContextMiddleware  (detect platform from domain/path)
 #   2. StoreContextMiddleware    (detect store, uses platform_clean_path)
 #   3. FrontendTypeMiddleware     (detect frontend type using FrontendDetector)
@@ -163,9 +165,16 @@ app.add_middleware(StoreContextMiddleware)
 logger.info("Adding PlatformContextMiddleware (detects platform from domain/path)")
 app.add_middleware(PlatformContextMiddleware)
 
+# Add proxy headers middleware (runs before all other middleware)
+# Caddy proxies HTTPS → HTTP internally; this reads X-Forwarded-Proto
+# so request.scheme = "https" and url_for() generates correct URLs
+logger.info("Adding ProxyHeadersMiddleware (trust X-Forwarded-Proto from Caddy)")
+app.add_middleware(ProxyHeadersMiddleware, trusted_hosts=["*"])
+
 logger.info("=" * 80)
 logger.info("MIDDLEWARE ORDER SUMMARY:")
 logger.info("  Execution order (request →):")
+logger.info("    0. ProxyHeadersMiddleware (proxy headers)")
 logger.info("    1. LoggingMiddleware (timing)")
 logger.info("    2. PlatformContextMiddleware (platform detection)")
 logger.info("    3. StoreContextMiddleware (store detection)")