Automatic Redirect when using custom domain

I know that if I use and request a resource at or, the request will get blocked by the browser.
My app works fine in http, but not in https. In my HTML code I use code like

<img src="/static/absoluteimage.png"></img>


<script src="/static/thisimportantscript.js"></script>

However I get errors like
I tried manually typing in a URL of one of my static files like, I discovered that it redirects to
which has an http protocol.
Oh and by the way, I thought this was an issue because I was using the dashboard to configure things but when I finally figured out how to unlink my domain on the side and switch it to the custom domain feature I got the same error.
Using the dashboard error(you can’t replicate it because removed the cdn feature and I can use it only because I created a project at that time):

Mixed content....the page at was loaded over HTTPS, but requested an insecure {whatever file}

This actually might be a security issue
Now using the custom domains I get:

Mixed content....the page at was loaded over HTTPS, but requested an insecure {whatever file}

Hey @javaarchive,

That error usually occurs when the host website is loaded over HTTPS and a resource is pulled over HTTP. Like change the redirects and the resource you’re pulling to HTTPS, for example, make load as HTTPS

The problem is that I never wanted it to redirect to, I wanted it to keep the subdomain and protocol. I don’t have control over the redirect so I’m trying to see if the glitch team can help? It might be on because using the non-glitch custom domains from fly this also happens.

Try adding this code to the project you’re trying to redirect to:

function checkHttps(req, res, next){
  // protocol check, if http, redirect to https
    console.log("https, yo")
    return next()
  } else {
    console.log("just http")
    res.redirect('https://' + req.hostname + req.url);

app.all('*', checkHttps)

That’ll redirect from HTTP to HTTPS.

Or you can use pure javascript.

So both methods didn’t really work, and I figured out why.
This is how my site is setup through

A: domain)
B: the logic and passes things onto the origin)
D: My original project
A ------------------> B -----------------> C -----------------> D

So upon trying khalby786’s solution this is what happended

A ------------------> B -----------------> C -----------------> D
   Secure/Insecure   Insecure              Insecure

Then my server says, C is trying to access, but isn’t using a secure connection. So it sends a redirect to C. But C just passes the request to B which passes the request back to A, which ends up redirecting itself to
RiversideRocks solution was nice for automatically switching people to https, but the redirect issue was still happening, most likely something on my server is issuing the redirect or maybe fly is doing it.
Update: I searched my entire project for redirects and found none with static files so most likely it’s a or glitch domains issue.

1 Like

I agree with this, it looks like an issue with the custom domain.

The long hash name would be the Glitch project’s “internal name”, so that the custom domain would still work if the project got renamed.

The browser is doing the right thing, sending a request for https://yourdomain/static/global.css but the response is a 308 Permanent Redirect to (and there is also a header fly-request-id: differentlonghash )

Which looks like the custom domain is still active?

There are also cloudflare headers … would cloudflare be passing the request to ?

Edit – comparing to a project that has a custom domain but never did use, it still has a fly-request-id header, so I guess Glitch are using them internally. But also don’t get a permanent redirect.

Edit again – maybe the 308 permanent redirect will be removed from all the DNS lookups after 48 hours? if not, I’d say its an issue with fly and removing the custom domain.

1 Like