Recently I was bringing up a site based on Grav, which uses psr7-server/ServerRequestCreator.php directly to prepare a request object for further manipulation. The server I was using had the following peculiarity: it had $_SERVER['REQUEST_SCHEME'] set to http and at the same time $_SERVER['HTTPS'] set to on. All of that while I was using exclusively HTTPS. This caused an occasional problem when a redirection was made to e.g. http://example.com:443/about instead of https://example.com/about. I believe the way the scheme detection works now is a problem, since current code will set scheme as http even though the server also reports $_SERVER['HTTPS'] as being used. I mean this fragment:
Recently I was bringing up a site based on Grav, which uses psr7-server/ServerRequestCreator.php directly to prepare a request object for further manipulation. The server I was using had the following peculiarity: it had
$_SERVER['REQUEST_SCHEME']
set tohttp
and at the same time$_SERVER['HTTPS']
set toon
. All of that while I was using exclusively HTTPS. This caused an occasional problem when a redirection was made to e.g.http://example.com:443/about
instead ofhttps://example.com/about
. I believe the way the scheme detection works now is a problem, since current code will set scheme ashttp
even though the server also reports$_SERVER['HTTPS']
as being used. I mean this fragment:https://github.com/Nyholm/psr7-server/blob/b846a689844cef114e8079d8c80f0afd96745ae3/src/ServerRequestCreator.php#L272-L276
Shouldn't
HTTPS
header have precedence here? Something like this code here (from https://www.designcise.com/web/tutorial/how-to-check-for-https-request-in-php):or, at least, reverse the order of condition checks?
I think this problem is somewhat related, but not identical to https://github.com/Nyholm/psr7-server/issues/29.