Definition
Domain fronting is a circumvention technique that hides the true destination of an HTTPS request by presenting one (typically permitted) domain in the connection's visible fields while the actual target is named only inside the encrypted portion. To an on-path observer, the request appears bound for an innocuous, widely used service; only after decryption — which the observer cannot perform — does the real destination emerge. It is used to restore access to one's own lawful communication where a network filter blocks specific destinations by name, and it works by making that blocking decision as expensive as possible.
The technique was never designed — it was noticed. Content delivery networks and cloud front ends routed requests by the inner Host header for their own operational reasons, and circumvention researchers around 2013–2015 recognized that this routing behavior, combined with TLS's split between visible and encrypted destination names, added up to a ready-made hiding place requiring no cooperation from anyone. That accidental origin is the key to understanding both its elegance and its fragility: fronting exploited a property the platforms had never promised to maintain, and when maintaining it became inconvenient for them, there was no standard, no contract, and no protocol guarantee to appeal to — only a behavior that quietly changed.
The SNI versus Host split
The technique lives in a seam between two layers that both name a destination. When a TLS connection opens, the requested hostname appears in the Server Name Indication (SNI) field of the handshake — sent in cleartext in classic TLS, and readable by any censor on the path, alongside the DNS lookup that preceded it. But the HTTP Host header, which actually tells the receiving infrastructure which back-end service to route to, travels inside the encrypted channel. Domain fronting exploits the gap: DNS and SNI point at a tolerated front domain, while the hidden Host header names the real, blocked endpoint. A shared platform — a CDN or cloud front end serving thousands of domains from the same infrastructure — terminates the TLS, reads the inner header, and routes accordingly. The censor sees a connection to the front; the platform delivers traffic to the target.
Collateral freedom and its limits
The strategy is called collateral freedom: the front domain is chosen to be so economically or socially important that blocking it costs the censor more than the hidden traffic is worth — cutting off an entire cloud platform to stop one tunnel breaks commerce, banking apps, and government services alike. The technique's structural weakness is that it requires the shared platform's cooperation, or at least indifference: the infrastructure must be willing to route a request whose SNI and Host disagree. Around 2018, several of the largest cloud providers disabled exactly that behavior under a combination of security rationales and state pressure, sharply narrowing where classic fronting still works — a reminder that this technique borrows someone else's centralized infrastructure, and what is borrowed can be revoked. Fronting persists on some platforms, and successor techniques in the same spirit route rendezvous traffic through other high-value shared services.
Where it is used
Domain fronting's most important role has been as a signaling channel rather than a bulk transport: circumvention systems use it for the small, critical first hop — discovering a proxy, reaching a broker — after which heavier traffic flows elsewhere. The meek transport tunnels traffic through fronted HTTPS directly, and Snowflake historically used fronting to protect its broker rendezvous. Secure messengers have likewise leaned on fronting to stay reachable during country-level blocks. The wider ecosystem of such tools is covered under pluggable transport.
The lesson for sovereignty
Domain fronting is clever, effective — and a dependency on other people's platforms. Its partial demise is one of the clearest object lessons in why the sovereignty ethic prefers infrastructure that cannot be switched off by a policy change: techniques that hide among centralized giants inherit the giants' obedience. Encrypted-SNI successors in newer TLS versions aim to close the visible-name gap at the protocol level rather than by borrowing cover — solving with open standards what fronting solved with someone else's brand. Meanwhile, filters that inspect traffic at scale are the subject of our deep packet inspection entry.
In Simple Terms
Domain fronting is a circumvention technique that hides the true destination of an HTTPS request by presenting one (typically permitted) domain in the connection’s visible…
