#Mixed Content error: HTTP vs. HTTPS

I have a Railway/React/Vite frontend accessing a Railway/Fastapi backend, and my frontend receives the following error:

Mixed Content: The page at 'https://domain' was loaded over HTTPS, but requested an insecure resource 'http://domain'. This request has been blocked; the content must be served over HTTPS.

The URL does indicate https, but it seems Railway is trying to serve it on HTTP, which is rejected by the browser.

Strangely, it seems to only occur on the first request to the backend. Clicking to another page and returning, no longer an error.

I have been looking to see if I can change a Railway setting to force HTTPS. I do see under settings Railway explicitly mentions that I can acess my app over HTTP (see image) but this is not what I want.

Project ID: ac828fce-6f54-43e9-825c-ac4871d226ba

railway is not requesting something over http, this is your app doing that, since railway runs your code as is

please share the frontends repo

my app uses this url (with https) as the base url and appends the api endpoint to each call, so it always asks for https. i don't have any references to 'http:' in my app

prepend*

yes, prepends

send me the frontends domain please

utilitygpt-stage.up.railway.app

in clickable form please

https://utilitygpt-stage.up.railway.app/

and send your package.json

as a file

that's staging. prod is here: https://utly.ai/

not that it's causing this problem, but you are serving an spa app without putting serve into spa mode

thanks- will take a look

the start command you want is serve -s -n -L -p $PORT

i dont see any http requests?

it tends to be intermittent. you can see below this 307 error. it's requesting the resource at HTTP vs. HTTPS

the 307 is a redirect code, your frontend is fine, your backend is sending the redirect to a non https location

so this is a code issue with the backend

my backend code has no reference to http. i just start it with uvicorn

some kind of middleware or something, this is a code issue

I assure you, railway is not sending the 307, your app is

what's strange is it is intermittent. if i refresh the page, it goes away. sometimes i can just hit the page and the issue isn't there. our only middleware is cors and logging

I see that it is a redirect to a location without a trailing slash

the request has a trailing slash, and the redirect location does not

but why does the redirect send to http?

you haven't trusted the proxy's headers so your app thinks it's being requested over http, therefore it redirects to http as well

we haven't setup a proxy in our frontend deployment. is this recommended, and if so, are there railway guidelines for this?

regarding the trailing slash, this is the way that route is setup: @router.get("/byemail/{email}", response_model=User)

(with the trailing slash)

I'm talking about railways proxy

you make a request via https to railways proxy, railways proxy forwards that request to your app via http, it attaches an X-Forwarded-Proto header that's equal to https, so that if needed your app would know what the original users request was made with, but you haven't trusted that header, so your app still thinks the request was done with http

ok. i believe there's a uvicorn command to trust the reverse proxy

sounds about right

let me try that...

sounds good

tried updating the dockerfile's uvicorn command, but issue is still intermittently there. fyi did this:

CMD uvicorn electricgptapi.main:app --host 0.0.0.0 --port $PORT --proxy-headers

do i need to add a specific host to trust railway's reverse proxy?

that would be a question for uvicorn's documentation