From 633bda5ca03af793b42e46e48371897b60b78090 Mon Sep 17 00:00:00 2001
From: linhongkuan <linhk8@mail2.sysu.edu.cn>
Date: Wed, 24 Jun 2026 21:55:08 +0800
Subject: [PATCH] fix(req): normalize forwarded protocol casing

---
 lib/request.js       |  4 ++--
 test/req.protocol.js | 30 ++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/lib/request.js b/lib/request.js
index 68243f52b6d..17c1ef7a085 100644
--- a/lib/request.js
+++ b/lib/request.js
@@ -309,9 +309,9 @@ defineGetter(req, 'protocol', function protocol(){
   var header = this.get('X-Forwarded-Proto') || proto
   var index = header.indexOf(',')
 
-  return index !== -1
+  return (index !== -1
     ? header.substring(0, index).trim()
-    : header.trim()
+    : header.trim()).toLowerCase()
 });
 
 /**
diff --git a/test/req.protocol.js b/test/req.protocol.js
index def82eda922..39095c77324 100644
--- a/test/req.protocol.js
+++ b/test/req.protocol.js
@@ -33,6 +33,36 @@ describe('req', function(){
         .expect('https', done);
       })
 
+      it('should normalize X-Forwarded-Proto casing', function(done){
+        var app = express();
+
+        app.enable('trust proxy');
+
+        app.use(function(req, res){
+          res.end(req.protocol);
+        });
+
+        request(app)
+        .get('/')
+        .set('X-Forwarded-Proto', 'HTTPS')
+        .expect('https', done);
+      })
+
+      it('should report secure for uppercase X-Forwarded-Proto https', function(done){
+        var app = express();
+
+        app.enable('trust proxy');
+
+        app.use(function(req, res){
+          res.end(String(req.secure));
+        });
+
+        request(app)
+        .get('/')
+        .set('X-Forwarded-Proto', 'HTTPS')
+        .expect('true', done);
+      })
+
       it('should default to the socket addr if X-Forwarded-Proto not present', function(done){
         var app = express();