By using any external application, we can modify the X-forwarded-proto to http and proceed to post the request to server. The request will treat as http and the server application generate the link/url with http instead of https. What is the best solution for preventing this header manipulation in Drupal?
If the user change proto to http via any external tool, the server should block/handle the http requests.