Header manipulation
Append or remove HTTP request and response headers at the route level.Appending or removing headers can increase the security of your network. You can even manipulate headers on ingress traffic that goes through Gloo Gateway to services outside your cluster environment. For example, you might append a custom request header and then also enable a cross-origin request sharing (CORS) policy that requires this custom header. You might also remove any headers that provide details about your server, such as the operating system or upstream service time, to reduce the amount of information that could be used in targeted attacks.
For more information, see the following resources.
If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.
Before you begin
Follow the getting started instructions to:
- Set up Gloo Gateway in a single cluster.
- Deploy sample apps.
- Configure an HTTP listener on your gateway and set up basic routing for the sample apps.
Configure header manipulation policies
You can apply a header manipulation policy at the route level. For more information, see Applying policies.
Review the following sample configuration file.
apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: HeaderManipulationPolicy
metadata:
annotations:
cluster.solo.io/cluster: ""
name: header-manipulation
namespace: bookinfo
spec:
applyToRoutes:
- route:
labels:
route: ratings
config:
appendResponseHeaders:
header-manipulation: ratings-route
appendRequestHeaders:
custom-request-header: ratings-request
removeRequestHeaders:
- user-agent
removeResponseHeaders:
- content-length
| Setting | Description |
|---|---|
spec.applyToRoutes |
Use labels to configure which routes to apply the policy to. This example label matches the app and route from the example route table that you apply separately. If omitted and you do not have another selector such as applyToDestinations, the policy applies to all routes in the workspace. |
spec.config.appendRequestHeaders |
Specify the HTTP headers to add before forwarding a request to the destination. Headers are specified in a key: value pair. The example sets the custom-request-header: ratings-request request header. |
spec.config.appendResponseHeaders |
Specify the HTTP headers to add before returning a response to the caller. Headers are specified in a key: value pair. The example sets the header-manipulation: ratings-route header. |
spec.config.removeRequestHeaders |
Specify the HTTP headers to remove before forwarding a request to the destination. Headers are specified by their key names. The example removes the user-agent request header. |
spec.config.removeResponseHeaders |
Specify the HTTP headers to remove before returning a response to the caller. Headers are specified by their key names. The example removes content-length response header. |
Verify header manipulation policies
-
Apply the example header manipulation policy in the workload cluster.
kubectl apply -f header-manipulation-policy.yaml -
Send a request to the ratings app.
-
Verify that you notice the added or removed request and response headers.
> GET /ratings/1 HTTP/2 > Host: www.example.com > user-agent: curl/7.77.0 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)! < HTTP/2 200 HTTP/2 200 < content-type: application/json content-type: application/json < date: Wed, 17 Aug 2022 20:41:59 GMT date: Wed, 17 Aug 2022 20:41:59 GMT < x-envoy-upstream-service-time: 2 x-envoy-upstream-service-time: 2 < header-manipulation: ratings-route header-manipulation: ratings-route < server: istio-envoy server: istio-envoy