--- title: "Trusted proxy headers on Cloud Platform for Drupal sites" date: "2024-02-14T06:18:38+00:00" summary: "Learn how to configure trusted proxy headers for Drupal sites on Cloud Platform. Ensure your application handles headers correctly, improve security, and follow best practices with step-by-step guidance." image: type: "page" url: "/acquia-cloud-platform/trusted-proxy-headers-cloud-platform-drupal-sites" id: "eb821845-f27e-4b90-9210-9e8b0bdb475f" --- To ensure that Cloud Platform follows the best practices of the Drupal community, the configuration process for trusted proxy headers on sites running the [current Drupal version](/service-offerings/guide/software-life-cycle#supported-drupal-version) is updated. Note This change does not impact Drupal 7 sites on Cloud Platform. Changes to the current Drupal version ------------------------------------- The [current Drupal version](/service-offerings/guide/software-life-cycle#supported-drupal-version) supports the following proxy headers: * `X-Forwarded-For` * `X-Forwarded-Host` * `X-Forwarded-Port` * `X-Forwarded-Proto` * `Forwarded` However, Cloud Platform trusts the following proxy headers by default: * `X-Forwarded-For` * `X-Forwarded-Proto` To ensure that Cloud Platform trusts the other supported proxy headers, you can re-enable such headers by updating your site’s `settings.php` file. For more information, see [Ensuring that an application trusts the proxy headers](#ensuring-application-trusts). This applies to cases when your application uses other headers. Verifying the proxy headers used by an application -------------------------------------------------- Note This procedure is applicable if your application has another proxy layer, such as CDN, before Cloud Platform. To view the list of proxy headers used by your application: 1. Access your Acquia-hosted Drupal site as an admin user. Ensure that you use the same public domain that your visitors use and not the `*.acquia-sites.com` domain. 2. Access **Admin** > **Reports** > **Status Report** > **PHP** (`/admin/reports/status/php`) where the request headers used by the application is displayed. To enable the proxy headers, add the code mentioned in the [Ensuring that an application trusts the proxy headers](#ensuring-application-trusts) section. Note When accessing your site pages, if you use a domain that bypasses the CDN, you won’t see any HTTP headers added by the proxy layer. For any assistance, [create a Support ticket](/service-offerings/support#contact-acquia-support). Ensuring that an application trusts the proxy headers ----------------------------------------------------- If your application uses other trusted proxy headers, you must add a setting for each header to your `settings.php` file after the require line. For example, // Trust the X-Forwarded-Host header. if (isset($settings['reverse_proxy_trusted_headers'])) { $settings['reverse_proxy_trusted_headers'] |= \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST; } else { $settings['reverse_proxy_host_header'] = 'X_FORWARDED_HOST'; } For other proxy headers, access Drupal’s `default.settings.php` file. Acquia recommends that you test the behavior to ensure that the change does not impact your application.