Appending or removing headers can increase the security of your network. You can even manipulate headers on ingress traffic that goes through Gloo Mesh Gateway to services outside your service mesh environment. For example, you might append a custom request header and then also enable a cross-origin request sharing (CORS) policy that requires this custom header. You might also remove any headers that provide details about your server, such as the operating system or upstream service time, to reduce the amount of information that could be used in targeted attacks.

For more information, see the following resources.

Before you begin

  1. Set up Gloo Mesh Gateway in a single cluster.
  2. Install Bookinfo and other sample apps.

  3. Configure an HTTP listener on your gateway and set up basic routing for the sample apps.

Configure header manipulation policies

You can apply a header manipulation policy at the route level. For more information, see Applying policies.

Review the following sample configuration file.

  cat > header-manipulation.yaml << EOF
apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: HeaderManipulationPolicy
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: header-manipulation
  namespace: bookinfo
spec:
  applyToRoutes:
  - route:
      labels:
        route: ratings
  config:
    appendResponseHeaders:
      header-manipulation: ratings-route
    appendRequestHeaders:
      custom-request-header: ratings-request
    removeRequestHeaders:
      - user-agent
    removeResponseHeaders:
      - content-length
EOF

Review the following table to understand this configuration. For more information, see the API docs.

SettingDescription
applyToRoutesUse labels to configure which routes to apply the policy to. This example label matches the app and route from the example route table that you apply separately. If omitted and you do not have another selector such as applyToDestinations, the policy applies to all routes in the workspace.
appendRequestHeadersSpecify the HTTP headers to add before forwarding a request to the destination. Headers are specified in a key: value pair. The example sets the custom-request-header: ratings-request request header.
appendResponseHeadersSpecify the HTTP headers to add before returning a response to the caller. Headers are specified in a key: value pair. The example sets the header-manipulation: ratings-route header.
removeRequestHeadersSpecify the HTTP headers to remove before forwarding a request to the destination. Headers are specified by their key names. The example removes the user-agent request header.
removeResponseHeadersSpecify the HTTP headers to remove before returning a response to the caller. Headers are specified by their key names. The example removes content-length response header.

Verify header manipulation policies

  1. Apply the example header manipulation policy in the cluster with the Bookinfo workspace in your example setup.

      kubectl apply -f header-manipulation-policy.yaml

  2. Send a request to the app.

    • HTTP:
        curl -vik --resolve www.example.com:80:${INGRESS_GW_IP} http://www.example.com:80/ratings/1
    • HTTPS:
        curl -vik --resolve www.example.com:443:${INGRESS_GW_IP} https://www.example.com:443/ratings/1

  3. Verify that you notice the added or removed request and response headers.

    Example response:

      > GET /ratings/1 HTTP/2
> Host: www.example.com
> user-agent: curl/7.77.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
< HTTP/2 200 
HTTP/2 200 
< content-type: application/json
content-type: application/json
< date: Wed, 17 Aug 2022 20:41:59 GMT
date: Wed, 17 Aug 2022 20:41:59 GMT
< x-envoy-upstream-service-time: 2
x-envoy-upstream-service-time: 2
< header-manipulation: ratings-route
header-manipulation: ratings-route
< server: istio-envoy
server: istio-envoy

Cleanup

You can optionally remove the resources that you set up as part of this guide.
  kubectl -n bookinfo delete RouteTable ratings-rt
kubectl -n bookinfo delete HeaderManipulationPolicy modify-header-hsts