Indicates whether the client-side connection used TLS to connect to Fastly.

Fastly writes this header into requests. It is proprietary to Fastly.

Set to "1" on requests that arrived at Fastly over TLS, if the header is not already present on the request.

HINT: In VCL services, fastly_info.edge.is_tls is a better choice in all scenarios in which the Fastly-SSL header might otherwise be used. In Compute@Edge services, each language SDK exposes connection properties which are also a better choice than relying on Fastly-SSL.

Be aware of several important caveats when using this header:

  • If the client request includes this header, Fastly will not overwrite or correct it. A client capable of setting arbitrary headers can therefore spoof the value of Fastly-SSL.
  • If the Fastly service is configured to use shielding, the connection between the edge and shield POPs uses TLS if the origin itself supports TLS. The value of Fastly-SSL when read on a machine acting as a shield will therefore be "1" if the origin is configured with TLS enabled.

For a secure method of detecting the TLS state of the connection, see fastly_info.edge.is_tls.