diff --git a/lib/request.js b/lib/request.js
index 1205c6c25a..013bff4d7e 100644
--- a/lib/request.js
+++ b/lib/request.js
@@ -345,11 +345,10 @@ req.is = function(type){
 
 req.__defineGetter__('protocol', function(){
   var trustProxy = this.app.get('trust proxy');
-  return this.connection.encrypted
-    ? 'https'
-    : trustProxy
-      ? (this.get('X-Forwarded-Proto') || 'http')
-      : 'http';
+  if (this.connection.encrypted) return 'https';
+  if (!trustProxy) return 'http';
+  var proto = this.get('X-Forwarded-Proto') || 'http';
+  return proto.split(/\s*,\s*/)[0];
 });
 
 /**
diff --git a/test/req.secure.js b/test/req.secure.js
index c15d5933ef..6c59a898fd 100644
--- a/test/req.secure.js
+++ b/test/req.secure.js
@@ -48,6 +48,36 @@ describe('req', function(){
         .set('X-Forwarded-Proto', 'https')
         .expect('yes', done)
       })
+
+      it('should return false when initial proxy is http', function(done){
+        var app = express();
+
+        app.enable('trust proxy');
+
+        app.get('/', function(req, res){
+          res.send(req.secure ? 'yes' : 'no');
+        });
+
+        request(app)
+        .get('/')
+        .set('X-Forwarded-Proto', 'http, https')
+        .expect('no', done)
+      })
+
+      it('should return true when initial proxy is https', function(done){
+        var app = express();
+
+        app.enable('trust proxy');
+
+        app.get('/', function(req, res){
+          res.send(req.secure ? 'yes' : 'no');
+        });
+
+        request(app)
+        .get('/')
+        .set('X-Forwarded-Proto', 'https, http')
+        .expect('yes', done)
+      })
     })
   })
 })