Definition
Domain fronting is a circumvention technique that hides the true destination of an HTTPS request by presenting one (typically permitted) domain in the visible parts of the connection while the actual target is named only inside the encrypted portion. To an on-path observer the request appears to be headed to an innocuous, widely-used service, which makes blocking it costly. It is used to restore access to one's own lawful communication where a filter blocks specific destinations by name.
The SNI versus Host split
A TLS connection reveals the requested hostname in the Server Name Indication (SNI) field, which a censor can read. The HTTP Host header, which actually selects the back-end service, travels inside the encrypted channel. Domain fronting exploits this gap: the SNI and DNS query point at a tolerated front domain, while the hidden Host header points at the real, blocked endpoint. A shared platform serving both then routes the request by the inner header.
Collateral freedom and its limits
The technique relies on "collateral freedom": the front domain is so important that censors will not block it just to stop the hidden traffic. Its weakness is that the shared platform must allow the SNI and Host to disagree. Several large providers have since disabled that behavior, narrowing where domain fronting still works, though it remains viable on some infrastructure.
For transports that build on this method, see the meek and Snowflake glossary entries.
In Simple Terms
Domain fronting is a circumvention technique that hides the true destination of an HTTPS request by presenting one (typically permitted) domain in the visible parts…