isSecureFilter lets a rule act on the TLS boundary without resorting to URL parsing. It returns true for any exchange that travels over a secure tunnel and false for cleartext HTTP. Use it to gate certificate logic, audit migration progress or apply protocol level actions only where they make sense.
Reach for isSecureFilter when you want a rule to apply only to HTTPS exchanges, or conversely only to plain HTTP. It is the cleanest way to split a rule pipeline along the TLS boundary without writing a regex on the URL.
Typical situations:
The filter evaluates on the onAuthorityReceived scope, so Fluxzy already knows whether the exchange will be tunneled over TLS by the time it fires. Combine it with hostFilter or authorityFilter when you need to scope further.
Avoid presenting a client certificate on cleartext exchanges, which would be a no-op anyway, by gating the action behind isSecureFilter.
rules:
- filter:
typeKind: IsSecureFilter
actions:
- typeKind: SetClientCertificateAction
clientCertificate:
retrieveMode: FromUserStoreThumbPrint
thumbPrint: 9b74a1d3f8e2c47c0b6e2bb4f6c5c2e1a7f0d3b9
Invert the filter to mark every plain HTTP exchange with a tag, useful when migrating a legacy app to HTTPS and you need to see what still leaks in cleartext.
rules:
- filter:
typeKind: IsSecureFilter
inverted: true
actions:
- typeKind: ApplyTagAction
tag:
value: cleartext-http
Force TLS 1.3 on every secure exchange while leaving plain HTTP alone. Pair with a hostFilter if you only want this for a specific destination.
rules:
- filter:
typeKind: IsSecureFilter
actions:
- typeKind: ForceTlsVersionAction
tlsVersion: Tls13
Select secure exchange only (non plain HTTP).
Evaluation scope defines the timing where this filter will be applied.
onAuthorityReceived This scope denotes the moment fluxzy is aware the destination authority. In a regular proxy connection, it will occur the moment where fluxzy parsed the CONNECT request.
isSecureFilter
This filter has no specific characteristic
The following table describes the customizable properties available for this filter:
| Property | Type | Description | DefaultValue |
|---|---|---|---|
| inverted | boolean | Negate the filter result | false |
The following examples apply a comment to the filtered exchange
Select secure exchange only (non plain HTTP).
rules:
- filter:
typeKind: IsSecureFilter
actions:
- typeKind: ApplyCommentAction
comment: filter was applied
View definition of IsSecureFilter for .NET integration.
This filter has no related filter
isSecureFilter inspects whether the exchange will be tunneled over TLS, which is known as soon as Fluxzy parses the CONNECT request from the client. Plain HTTP exchanges that arrive without a TLS handshake are considered non-secure.
Yes. wss is HTTPS with an Upgrade header. The filter matches on the TLS layer regardless of the higher level protocol. Pair with isWebSocketFilter when you need both conditions.
Yes. Set inverted: true to select every non-secure exchange. This is useful for auditing legacy traffic that should be migrated to HTTPS.
isSecureFilter relies on the actual TLS state, not the URL scheme. It is more robust because it cannot be fooled by an unusual URL form. Prefer it when correctness matters.