x402 icon indicating copy to clipboard operation
x402 copied to clipboard
Published 4 months ago verified publisher icon coinbase

feat: fix resourceUrl when hono server is behind reverse proxy

Open CarsonRoscoe opened this issue 5 months ago • 2 comments

Fix: Hono middleware now correctly handles reverse proxy environments

Problem

When the Hono middleware was deployed behind reverse proxies (Vercel, Railway, etc.), the resource URL in payment requirements would incorrectly use http:// instead of https://, causing discovery failures. This occurred because Hono servers behind reverse proxies operate in an HTTP context, and unlike Express or Next.js, Hono doesn't automatically handle reverse proxy environments.

Root Cause

The middleware was directly using c.req.url to construct the resource URL. In reverse proxy environments, this URL reflects the internal HTTP connection between the proxy and the server, not the external HTTPS connection from the client to the proxy. The reverse proxy sets X-Forwarded-Proto and X-Forwarded-Host headers to indicate the original protocol and host, but the middleware wasn't checking for these headers.

Related Hono issue: https://github.com/honojs/node-server/issues/146

Solution

The middleware now:

  1. Checks for X-Forwarded-Proto and X-Forwarded-Host headers when no custom resource is configured
  2. Reconstructs the resource URL using these forwarded headers if present, ensuring the correct protocol (https) and host
  3. Falls back to the original behavior (c.req.url) when not behind a reverse proxy

Checklist

  • [x] I have formatted and linted my code
  • [x] All new and existing tests pass
  • [x] My commits are signed (required for merge) -- you may need to rebase if you initially pushed unsigned commits

CarsonRoscoe avatar Nov 12 '25 19:11 CarsonRoscoe

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
x402 Ready Ready Preview Comment Nov 12, 2025 11:42pm

vercel[bot] avatar Nov 12 '25 19:11 vercel[bot]

✅ Heimdall Review Status

Requirement Status More Info
Reviews 1/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 0
Sum 1

cb-heimdall avatar Nov 12 '25 19:11 cb-heimdall