[m-ueberall]

Are you sure they have full access to your TLS certificates? Or can't you bring your own in this case?

[tuxone]

They host the website thus they can inject anything anywhere in the body before https kicks in.

[dan1234]

It depends how the code is being injected. If they’re using a an output filter on the web server, they could do it before the encryption stage.

See http://nginx.org/en/docs/http/ngx_http_sub_module.html & https://httpd.apache.org/docs/2.4/filter.html