Bug 002: HTTP vs HTTPS URL Mismatch Behind HF Spaces Proxy
Status: FIXED Date Found: 2025-12-11 Severity: High (may cause mixed content errors or fetch failures)
Symptoms
NiiVue viewer fails to load NIfTI files with "Failed to fetch" even after CORS is fixed. Browser console may show mixed content warnings (HTTPS page loading HTTP resources).
Root Cause
HuggingFace Spaces runs containers behind a reverse proxy that handles SSL termination.
When the app constructs URLs using request.base_url, it may return http:// instead of https://
because uvicorn doesn't trust the proxy's X-Forwarded-Proto header by default.
Reference: FastAPI Static Files over HTTPS Discussion
"Starlette (FastAPI) returns http instead of https only inside containers"
The Code Path
# routes.py
def get_backend_base_url(request: Request) -> str:
env_url = os.environ.get("BACKEND_PUBLIC_URL", "").rstrip("/")
if env_url:
return env_url
return str(request.base_url).rstrip("/") # May return http:// behind proxy!
Fix
Add --proxy-headers flag to uvicorn in Dockerfile:
# BEFORE (broken)
CMD ["uvicorn", "...:app", "--host", "0.0.0.0", "--port", "7860"]
# AFTER (fixed)
CMD ["uvicorn", "...:app", "--host", "0.0.0.0", "--port", "7860", "--proxy-headers"]
This tells uvicorn to trust headers like:
X-Forwarded-Proto: httpsX-Forwarded-For: client-ip
Alternative Fixes
Set BACKEND_PUBLIC_URL: Explicitly set the public URL in HF Space settings
BACKEND_PUBLIC_URL=https://vibecodermcswaggins-stroke-deepisles-demo.hf.spaceForce HTTPS in code: Override scheme detection
def get_backend_base_url(request: Request) -> str: base = str(request.base_url).rstrip("/") # Force HTTPS in production if os.environ.get("HF_SPACES"): base = base.replace("http://", "https://") return base
Files Changed
Dockerfile- Added--proxy-headersto uvicorn CMD
Verification
- Deploy to HF Spaces
- Run segmentation
- Check Network tab - file URLs should be
https:// - NiiVue should load volumes successfully