Connecting over HTTP when I should not be able to

[takonako]

Hi. Everything was working fine for years. Even three months ago when my Let'sEncrypt cert expired and my hosting didn't renew, I noticed the expiration of the cert right away because connections started to get bounced by the middleware.

This time around same thing has happened, expired, but the middleware didn't catch it and all connections are going through as normal. I just knew because all of the browser warnings and the red padlock. The expiry date is two days ago.

I was not using either "relaxed" or "secure" all these years. And I just added "secure" => true now, but didn't help.

By getting a var_dump of $request I see:
$_SERVER ["HTTPS"] is 'ON'.
["SERVER_PORT"] is '443'.
["REQUEST_SCHEME"] is "https"
No mention of ['HTTP_X_FORWARDED_PROTO']
No mention of ['HTTP_FRONT_END_HTTPS']
I am using Slim3.

I don't know what other info might be relevant. Please tell me and I will provide it.

Thank you so much. It is very important that if my renewal fails again, user info is not transmitted insecurely.

And I want to take the opportunity for thanking you sincerely for your work on this which has been of so much benefit to us!

[takonako]

Sorry, just realized only part of the cert expired. The cert for the subdomain where the api is hosted remained valid so all was as expected. Also, meant to post this to the JWT issues forum but made a mistake. Please delete if possible. Thanks.