Insecure XMLHttpRequest endpoint

I have…

  • [ ] Checked the logs and have provided the logs if I found something suspicious there

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [ ] Bug report
  • [ ] Performance issue
  • [X ] Documentation issue or request

Current behavior

We moved an installation of Squidex that was on HTTP to a production server and it is now on HTTPS. When you enter your user credentials and press login, it stays on the login screen and loops.

Expected behavior

After login it should take you to the dashboard

Minimal reproduction of the problem

It happens with the only login which is the admin login at the moment. The error we get is:

“. . .was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ‘’. This request has been blocked; the content must be served over HTTPS.”


  • [ ] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ x] Self hosted with other version
  • [ ] Cloud version

Version: [VERSION]


  • [ ] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ X] Chrome (iOS)
  • [ ] Firefox
  • [ X] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

We set the Login redirect to True. If you have it on false and you land on the domain you can click the LOGIN button which opens up the popup. When you put your credentials in the popup the popup closes and it stays on the landing page

What is your base url? I will send you the actual one in PM

Okay, this is correct, just ensure that https is used there. Are you running behind a load balancer? If yes, ensure that X-Forwarded-Proto is configured correctly. I am not sure where this http thing is coming from.

no load balancer. It is a standard Linux server. All ports are open as well

Then I have no idea where this http request is coming from. Are you sure that the base url is picked up correctly and contains https? How do you do https?