diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc
index 8bbdd91..6b6148a 100644
--- a/core/includes/bootstrap.inc
+++ b/core/includes/bootstrap.inc
@@ -552,6 +552,14 @@ function drupal_settings_initialize() {
   }
 
   new Settings(isset($settings) ? $settings : array());
+  // If $_SERVER['HTTP_X_FORWARDED_PROTO'] is set, the web server may be serving
+  // a https request to the end user while communicating on an unencrypted
+  // channel with PHP. In this case, even though $_SERVER['HTTPS'] is not set by
+  // the web server, Drupal needs to behave as though it was set to 'on' or any
+  // rendered output may inappropriately contain links to insecure content.
+  if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https') {
+    $_SERVER['HTTPS'] = 'on';
+  }
   $is_https = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on';
 
   if (isset($base_url)) {