Chapter 28: HTTPS, TLS, and Proxy-Aware Apps

ASP.NET Core often handles forwarded headers and HTTPS redirection. Python apps are commonly behind a reverse proxy, load balancer, or platform edge.

Key decisions:

• TLS usually terminates at the proxy or platform.
• The app must understand forwarded scheme and host headers.
• Cookies must be Secure, HttpOnly, and use an appropriate SameSite setting.
• HSTS belongs at the edge or app, but configure it deliberately.
• CORS is not a security boundary. It is browser behavior.

Proxy-aware concerns:

• Generate correct absolute URLs.
• Redirect to HTTPS only when the app knows the original scheme.
• Trust forwarded headers only from trusted proxies.
• Set allowed hosts to prevent host header attacks.

In FastAPI/Starlette deployments, read your ASGI server and platform docs carefully. This area is deployment-specific.