diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc
index 36a0627..3e132d9 100644
--- a/core/includes/bootstrap.inc
+++ b/core/includes/bootstrap.inc
@@ -435,6 +435,15 @@ function _drupal_request_initialize() {
   global $base_path, $base_root, $script_path;
   global $base_secure_url, $base_insecure_url;
 
+  // If we're behind a reverse proxy, the HTTPS environment variable may be out of
+  // sync with what is actually happening on the site. Our request object takes care
+  // of sorting out reverse proxies so we ask it if we're secure and then ensure the
+  // environment is set correctly.
+  // @todo This should move into the kernel bootstrap when it can support it. It is needed even in D8.
+  if (\Drupal::request()->isSecure()) {
+    $_SERVER['HTTPS'] = 'on';
+  }
+
   $is_https = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on';
 
   if (isset($base_url)) {