Header manipulation

Append or remove HTTP request and response headers at the route level.

Appending or removing headers can increase the security of your network. You can even manipulate headers on ingress traffic that goes through Gloo mesh Gateway to services outside your service mesh environment. For example, you might append a custom request header and then also enable a cross-origin request sharing (CORS) policy that requires this custom header. You might also remove any headers that provide details about your server, such as the operating system or upstream service time, to reduce the amount of information that could be used in targeted attacks.

For more information, see the following resources.

Before you begin

  1. Complete the demo setup to install Gloo Mesh, Istio, and Bookinfo in your cluster.

  2. Create the Gloo Mesh resources for this policy in the management and workload clusters.

    The following files are examples only for testing purposes. Your actual setup might vary. You can use the files as a reference for creating your own tests.

    1. Download the following Gloo Mesh resources:
    2. Apply the files to your management cluster.
      kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-1.yaml --context ${MGMT_CONTEXT}
      kubectl apply -f kubernetes-cluster_gloo-mesh_cluster-2.yaml --context ${MGMT_CONTEXT}
      kubectl apply -f workspace_gloo-mesh_anything.yaml --context ${MGMT_CONTEXT}
      
    1. Download the following Gloo Mesh resources:
    2. Apply the files to your workload cluster.
      kubectl apply -f route-table_bookinfo_httpbin.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f virtual-gateway_bookinfo_north-south-gw.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f workspace-settings_bookinfo_anything.yaml --context ${REMOTE_CONTEXT1}
      

Configure header manipulation policies

You can apply a header manipulation policy at the route level. For more information, see Applying policies.

Review the following sample configuration file.

apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: HeaderManipulationPolicy
metadata:
  name: modify-header-hsts
  namespace: httpbin
spec:
  applyToRoutes:
  - route:
      namespace: httpbin
  config:
    appendRequestHeaders:
      strict-transport-security: max-age=16070400; includeSubDomains
      x-custom-request: httpbin
    appendResponseHeaders:
      x-content-type-options: nosniff
      x-frame-options: deny
      x-custom-response: httpbin
    removeRequestHeaders:
      - user-agent
    removeResponseHeaders:
      - x-server
      - x-envoy-upstream-service-time
Review the following table to understand this configuration.
Setting Description
spec.applyToRoutes Configure which routes to apply the policy to, by using labels. The label matches the app and the route from the route table. If omitted, the policy applies to all routes in the workspace.
spec.config.appendRequestHeaders Specify the HTTP headers to add before forwarding a request to the destination. Headers are specified in a key: value pair. The example sets strict-transport-security and x-custom-request headers.
spec.config.appendResponseHeaders Specify the HTTP headers to add before returning a response to the caller. Headers are specified in a key: value pair. The example sets x-content-type-options, x-frame-options, and x-custom-response headers.
spec.config.removeRequestHeaders Specify the HTTP headers to remove before forwarding a request to the destination. Headers are specified by their key names. The example removes user-agent headers.
spec.config.removeResponseHeaders Specify the HTTP headers to remove before returning a response to the caller. Headers are specified by their key names. The example removes x-server and x-envoy-upstream-service-time headers.

Verify header manipulation policies

  1. Apply the example header manipulation policy in the workload cluster.
    kubectl apply --context ${REMOTE_CONTEXT1} -f header-manipulation-policy.yaml
    
  2. Send a request to the httpbin app through the ingress gateway.
    curl -vik -H "Host: www.example.com" "http://$INGRESS_GW_IP/status/200/"
    
  3. Verify that you notice the added or removed request and response headers.